Solved

wireshark - 0.0.0.0 as destination

Posted on 2015-02-07
13
297 Views
Last Modified: 2015-02-07
I am looking at the conversations statistics and I have many conversations from an IP address to 0.0.0.0, What kind of traffic is that? I don't think it is multicast
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
13 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40595935
Sometimes referred to as a "Martian" destination.  It's basically an illegal destination address.
0
 
LVL 1

Author Comment

by:leblanc
ID: 40595969
This is the TCP conversations and it is 120 bytes for each packet. Could it be a potential network performance problem? Thx
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 300 total points
ID: 40595978
That would depend on how many packets there are.

What device are these packets coming from?  I would focus on that and eliminating them at the source.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40595981
You would see that when a client first connects to the network and tries to obtain a dhcp address. The client doesnt have an ip address yet so it would come up as 0.0.0.0 and the destination would be 255.255.255.255 ( broadcast  address ) in an attempt to find a dhcp server. What is the destination port that the 0.0.0.0 is trying to communicate to? The source port is random so you would be interested in the destination port.
0
 
LVL 1

Author Comment

by:leblanc
ID: 40595988
I was thinking of DHCP. But the source is 192.168.1.120 and the destination is 0.0.0.0 on port 2001.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 300 total points
ID: 40596000
UDP port 2001 is used by CAPTAN, a data acquisition and control protocol.

That is using 0.0.0.0 as a destination could indicate that the device sending out these packets hasn't been correctly configured.
0
 
LVL 2

Accepted Solution

by:
UnHeardOf earned 200 total points
ID: 40596014
What type of device is 192.168.1.120? Windows Client, Router, Switch, etc?
0
 
LVL 1

Author Comment

by:leblanc
ID: 40596028
That is what I need to find out next week. I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40596045
I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.

No.  0.0.0.0 is an illegal destination IP address.  The correct destination IP address would either be a unicast or a multicast address.
0
 
LVL 2

Assisted Solution

by:UnHeardOf
UnHeardOf earned 200 total points
ID: 40596053
You can lookup the mac address of 192.168.1.120 to determine at least the vendor of the nic which may help in identifying the device.

http://www.coffer.com/mac_find/
0
 
LVL 1

Author Comment

by:leblanc
ID: 40596068
Now this is interesting. It is a digital monitoring system. I looked that IP address in Wireshark under Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40596074
A destination MAC address of ff:ff:ff:ff:ff:ff indicates a Broadcast. Remember though that only accounts for the MAC not the IP which is 0.0.0.0 not 255.255.255.255.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 300 total points
ID: 40596163
Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
Most likely the collector address is not correctly configured.  I've seen this behavior in other DAC equipment.
0

Featured Post

Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question