I am on Linux Mint. I was also using squid proxy. So I had been using a wired connection through LAN port to connect to the internet. Several time I had noted two MAC addresses showing up on same IP address using:
arp -a
So no doubt I was under attack at least arp spoofing. What my question is regarding an incident where I was on a very important webex meeting through my android mobile. The connection sequence was following LAN(30mbps)>Laptop>Hotspot>Mobile So during the webex meeting as soon as I was turning my video on it was immediately turning off. I tried several times. My the other person in the meeting also complaint that my sound was not clear. Otherwise when I attended the same webex meeting other time through same connection there was no such problem. Even on slower 4G Network things worked well. So just after the meeting I kept the the mobile connected and started wireshark to capture traffic.
I found several DUP Ack, TCP ACK unseen segment, malformed packets, suspected re-transmission, RST in TCP and malformed packets in IPX and illegal character found in header name(HTTP). Few are below:
tcp.seq eq 2422
11337 2022-02-04 12:06:10.684662778 Gateway.local www3.l.google.com TCP 68 42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797158 TSecr=1576833926
11340 2022-02-04 12:06:10.899973194 Gateway.local www3.l.google.com TCP 80 [TCP Dup ACK 11337#1] 42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797374 TSecr=1576834186 SLE=38993 SRE=39032
11680 2022-02-04 12:07:09.592393168 Gateway.local www3.l.google.com TLSv1.3 107 Application Data
Also
tcp.seq eq 1
172 2022-02-04 12:02:27.716646107 Gateway.local Gateway.local TCP 68 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2006993776 TSecr=2006948421
173 2022-02-04 12:02:27.716675844 Gateway.local Gateway.local TCP 68 [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2006993776 TSecr=2006948380
1535 2022-02-04 12:03:12.772644810 Gateway.local Gateway.local TCP 68 [TCP Dup ACK 172#1] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007038831 TSecr=2006993776
1536 2022-02-04 12:03:12.772678417 Gateway.local Gateway.local TCP 68 [TCP Dup ACK 173#1] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007038831 TSecr=2006948380
1697 2022-02-04 12:03:57.828673653 Gateway.local Gateway.local TCP 68 [TCP Dup ACK 172#2] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007083886 TSecr=2007038831
1698 2022-02-04 12:03:57.828714854 Gateway.local Gateway.local TCP 68 [TCP Dup ACK 173#2] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007083886 TSecr=2006948380
2606 2022-02-04 12:04:33.875741906 Gateway.local Gateway.local TCP 4401 [TCP Previous segment not captured] 49028 → ndl-aas(3128) [PSH, ACK] Seq=2 Ack=1 Win=2769 Len=4333 TSval=2007119932 TSecr=2007083886
2607 2022-02-04 12:04:33.875775071 Gateway.local Gateway.local TCP 68 [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=4335 Win=3637 Len=0 TSval=2007119932 TSecr=2007119932
Illegal Character found in header name
2693 2022-02-04 12:04:34.507851731 Gateway.local Gateway.local TCP 1486 ndl-aas(3128) → 49028 [PSH, ACK] Seq=19495 Ack=9906 Win=3637 Len=1418 TSval=2007120564 TSecr=2007120556
Hypertext Transfer Protocol
[truncated]h��2�G$$\023\177}BK�j\036U��b�jeg�3?�F��\032��\b��<9_�\006��n3�ɟ#�\005�p�+�/���\031�/�wFv3\000�xH���ۣ�8m��h\\016I�q_�8\f~�\027}T��-�4�\U000E
[Expert Info (Warning/Protocol): Illegal characters found in header name]
[Illegal characters found in header name]
[Severity level: Warning]
[Group: Protocol]
Data (518 bytes)
Data: 1593557f7f2b153d74788d9babc36b71d22bc5dff873058009c9afed58a279eab34f72fb…
Text [truncated]: \025�U\177\177+\025=tx����kq�+���s\005�\t���X�y��Or�[�\002��^L\025�jPu�}.9\037��W�?��P\toM���J�\001��=O\f,-��Ld������ML�(v��nI$�\0
[Length: 518]
[1 bytes missing in capture file].............?.WVf}.!...}q.d<...:..y.=N...b37..%t8.....p$r!...L].[........~.......j..v;
I want to know if it is a signature of man in the middle attack. And what should I check further. Please also suggest me a source that can help me dig deeper.