• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

wireshark - 0.0.0.0 as destination

I am looking at the conversations statistics and I have many conversations from an IP address to 0.0.0.0, What kind of traffic is that? I don't think it is multicast
0
leblanc
Asked:
leblanc
  • 5
  • 4
  • 4
5 Solutions
 
Don JohnstonInstructorCommented:
Sometimes referred to as a "Martian" destination.  It's basically an illegal destination address.
0
 
leblancAccountingAuthor Commented:
This is the TCP conversations and it is 120 bytes for each packet. Could it be a potential network performance problem? Thx
0
 
Don JohnstonInstructorCommented:
That would depend on how many packets there are.

What device are these packets coming from?  I would focus on that and eliminating them at the source.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
UnHeardOfCommented:
You would see that when a client first connects to the network and tries to obtain a dhcp address. The client doesnt have an ip address yet so it would come up as 0.0.0.0 and the destination would be 255.255.255.255 ( broadcast  address ) in an attempt to find a dhcp server. What is the destination port that the 0.0.0.0 is trying to communicate to? The source port is random so you would be interested in the destination port.
0
 
leblancAccountingAuthor Commented:
I was thinking of DHCP. But the source is 192.168.1.120 and the destination is 0.0.0.0 on port 2001.
0
 
Don JohnstonInstructorCommented:
UDP port 2001 is used by CAPTAN, a data acquisition and control protocol.

That is using 0.0.0.0 as a destination could indicate that the device sending out these packets hasn't been correctly configured.
0
 
UnHeardOfCommented:
What type of device is 192.168.1.120? Windows Client, Router, Switch, etc?
0
 
leblancAccountingAuthor Commented:
That is what I need to find out next week. I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.
0
 
Don JohnstonInstructorCommented:
I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.

No.  0.0.0.0 is an illegal destination IP address.  The correct destination IP address would either be a unicast or a multicast address.
0
 
UnHeardOfCommented:
You can lookup the mac address of 192.168.1.120 to determine at least the vendor of the nic which may help in identifying the device.

http://www.coffer.com/mac_find/
0
 
leblancAccountingAuthor Commented:
Now this is interesting. It is a digital monitoring system. I looked that IP address in Wireshark under Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
0
 
UnHeardOfCommented:
A destination MAC address of ff:ff:ff:ff:ff:ff indicates a Broadcast. Remember though that only accounts for the MAC not the IP which is 0.0.0.0 not 255.255.255.255.
0
 
Don JohnstonInstructorCommented:
Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
Most likely the collector address is not correctly configured.  I've seen this behavior in other DAC equipment.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 5
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now