[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

wireshark - 0.0.0.0 as destination

I am looking at the conversations statistics and I have many conversations from an IP address to 0.0.0.0, What kind of traffic is that? I don't think it is multicast
0
leblanc
Asked:
leblanc
  • 5
  • 4
  • 4
5 Solutions
 
Don JohnstonInstructorCommented:
Sometimes referred to as a "Martian" destination.  It's basically an illegal destination address.
0
 
leblancAccountingAuthor Commented:
This is the TCP conversations and it is 120 bytes for each packet. Could it be a potential network performance problem? Thx
0
 
Don JohnstonInstructorCommented:
That would depend on how many packets there are.

What device are these packets coming from?  I would focus on that and eliminating them at the source.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
UnHeardOfCommented:
You would see that when a client first connects to the network and tries to obtain a dhcp address. The client doesnt have an ip address yet so it would come up as 0.0.0.0 and the destination would be 255.255.255.255 ( broadcast  address ) in an attempt to find a dhcp server. What is the destination port that the 0.0.0.0 is trying to communicate to? The source port is random so you would be interested in the destination port.
0
 
leblancAccountingAuthor Commented:
I was thinking of DHCP. But the source is 192.168.1.120 and the destination is 0.0.0.0 on port 2001.
0
 
Don JohnstonInstructorCommented:
UDP port 2001 is used by CAPTAN, a data acquisition and control protocol.

That is using 0.0.0.0 as a destination could indicate that the device sending out these packets hasn't been correctly configured.
0
 
UnHeardOfCommented:
What type of device is 192.168.1.120? Windows Client, Router, Switch, etc?
0
 
leblancAccountingAuthor Commented:
That is what I need to find out next week. I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.
0
 
Don JohnstonInstructorCommented:
I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.

No.  0.0.0.0 is an illegal destination IP address.  The correct destination IP address would either be a unicast or a multicast address.
0
 
UnHeardOfCommented:
You can lookup the mac address of 192.168.1.120 to determine at least the vendor of the nic which may help in identifying the device.

http://www.coffer.com/mac_find/
0
 
leblancAccountingAuthor Commented:
Now this is interesting. It is a digital monitoring system. I looked that IP address in Wireshark under Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
0
 
UnHeardOfCommented:
A destination MAC address of ff:ff:ff:ff:ff:ff indicates a Broadcast. Remember though that only accounts for the MAC not the IP which is 0.0.0.0 not 255.255.255.255.
0
 
Don JohnstonInstructorCommented:
Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
Most likely the collector address is not correctly configured.  I've seen this behavior in other DAC equipment.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 5
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now