Solved

need help with wireshark

Posted on 2014-04-15
16
300 Views
Last Modified: 2014-05-12
Hi Experts,

I have to make a scan for Fortinet.
Now I have seen millions of broadcast queries on the network.
Most of them directly from one machine.
Can you help me to read and understand the content of it ?
Why this source MAC makes so many ARP requests ?
See the PIC.
Broadcast-Storm.JPG
0
Comment
Question by:Eprs_Admin
  • 6
  • 5
  • 3
  • +1
16 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40001297
Usually? it isn't. The usual cause of a broadcast storm is a routing loop at layer 2 - i.e. switches hooked into each other so that there is more than one path between two routers, so broadcast traffic goes around and around...

many switches detect and block that (aka "spanning tree"), except when there is a vmware vswitch between them (which can route the traffic but blocks the packets loop detection detects)

check your architecture to see if you have a routing loop.
0
 

Author Comment

by:Eprs_Admin
ID: 40001381
ok, we found out, because we check the MAC addresses.
And two machines are causing this broadcast storm.
When we disconnect one machine, the broadcast storm ends.

What can it be on the machine ?
It is laptop.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40001494
You need to see what type of packets it is sending.

The one sample you gave was a ARP.  The host that sent it was trying to find out the MAC address for a IP host.  Sending ARP's is normal and ARPs are broadcasts.

Does his machine talk to a lot of hosts?

Does his machine do any type of network scanning?

Does his machine constantly send out ARP's or does it send out a bunch and then do nothing for awhile, then send out a bunch more?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Eprs_Admin
ID: 40001646
This machine sends out permanent ARP request.
This machines tries to ask each subnet, also subnets which are not configured and used.
No network scanner is installed or used.
what else can it be ?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40001672
A virus/worm.
0
 

Author Comment

by:Eprs_Admin
ID: 40001683
we have scanned with 3 differnet anti virus and rootkit scanner.
There is noting on it.

Why this nic is sending so many arp requests ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40001739
try running Microsoft Network Monitor and/or ProcMon
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40001748
What operating system is the laptop running?
0
 

Author Comment

by:Eprs_Admin
ID: 40001805
The OS is WIN7
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40002152
we have scanned with 3 different anti virus and rootkit scanner.
OK
There is noting on it.
Really, this conclusion should be:
None of the ones we used found anything.

I suggest you try some others.  I have cleaned machines where the 6th scanner found what was needed to be found.  At the same time, the first 5 were well-respected tools that I use most often.  NONE of them are perfect.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40002358
If you did not, I would also use something that you have to boot from CD or thumb drive.  Running a scanner under Windows, even in "safe" mode, does not always work.

Is there any other suspicious traffic other than the ARP's coming from his computer?  I would assume anything (virus or valid tool) that is sending out ARP's would want to use the results of those ARP's to do or look for something else.
0
 

Author Comment

by:Eprs_Admin
ID: 40043823
thanks
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 333 total points
ID: 40044809
HitManPro is a pretty good tool that can boot from a USB flash drive.  It's made to get things before they can start.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 167 total points
ID: 40045084
I have used both:

Kaspersky Rescue Disk
F-Secure Rescue CD

If you have wired Internet access most of these will download the latest pattern files to scan with.
0
 

Author Comment

by:Eprs_Admin
ID: 40046951
I know HITMANPRO but not the boot version.
Where can I find it ?
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 333 total points
ID: 40047257
You install HITMANPRO on a computer and there is a little running man icon at the bottom of the window (at least I think that's the control you need).  Anyway there's a utility in the program to write a boot version onto a USB Flash Drive.  It's very nicely packaged that way.

Then, when you boot the computer just make sure that a USB Flash Drive is possible to boot from.  Usually there's a boot menu that will allow you to select without changing BIOS settings.  HITMANPRO gives you 3 choices for the mode it works in.  #1 is "best", #2 is, well, #2 and #3 is the last resort.  In some or all of these cases it looks like Windows is booting thereafter but don't be alarmed.  When it starts to get going, HITMANPRO starts up.
I've seen quite a few where #1 didn't work and still got good results.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
f5 Persistence 14 52
How to calculate the netmask 5 55
Event 4625 - Account Name: _ 3 26
exchange, email gateway 2 29
The 21st century solution to antiquated pagers.
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question