wireshark - 0.0.0.0 as destination

I am looking at the conversations statistics and I have many conversations from an IP address to 0.0.0.0, What kind of traffic is that? I don't think it is multicast
LVL 1
leblancAccountingAsked:
Who is Participating?
 
UnHeardOfCommented:
What type of device is 192.168.1.120? Windows Client, Router, Switch, etc?
0
 
Don JohnstonInstructorCommented:
Sometimes referred to as a "Martian" destination.  It's basically an illegal destination address.
0
 
leblancAccountingAuthor Commented:
This is the TCP conversations and it is 120 bytes for each packet. Could it be a potential network performance problem? Thx
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Don JohnstonInstructorCommented:
That would depend on how many packets there are.

What device are these packets coming from?  I would focus on that and eliminating them at the source.
0
 
UnHeardOfCommented:
You would see that when a client first connects to the network and tries to obtain a dhcp address. The client doesnt have an ip address yet so it would come up as 0.0.0.0 and the destination would be 255.255.255.255 ( broadcast  address ) in an attempt to find a dhcp server. What is the destination port that the 0.0.0.0 is trying to communicate to? The source port is random so you would be interested in the destination port.
0
 
leblancAccountingAuthor Commented:
I was thinking of DHCP. But the source is 192.168.1.120 and the destination is 0.0.0.0 on port 2001.
0
 
Don JohnstonInstructorCommented:
UDP port 2001 is used by CAPTAN, a data acquisition and control protocol.

That is using 0.0.0.0 as a destination could indicate that the device sending out these packets hasn't been correctly configured.
0
 
leblancAccountingAuthor Commented:
That is what I need to find out next week. I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.
0
 
Don JohnstonInstructorCommented:
I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.

No.  0.0.0.0 is an illegal destination IP address.  The correct destination IP address would either be a unicast or a multicast address.
0
 
UnHeardOfCommented:
You can lookup the mac address of 192.168.1.120 to determine at least the vendor of the nic which may help in identifying the device.

http://www.coffer.com/mac_find/
0
 
leblancAccountingAuthor Commented:
Now this is interesting. It is a digital monitoring system. I looked that IP address in Wireshark under Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
0
 
UnHeardOfCommented:
A destination MAC address of ff:ff:ff:ff:ff:ff indicates a Broadcast. Remember though that only accounts for the MAC not the IP which is 0.0.0.0 not 255.255.255.255.
0
 
Don JohnstonInstructorCommented:
Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
Most likely the collector address is not correctly configured.  I've seen this behavior in other DAC equipment.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.