Solved

wireshark - 0.0.0.0 as destination

Posted on 2015-02-07
13
242 Views
Last Modified: 2015-02-07
I am looking at the conversations statistics and I have many conversations from an IP address to 0.0.0.0, What kind of traffic is that? I don't think it is multicast
0
Comment
Question by:leblanc
  • 5
  • 4
  • 4
13 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Sometimes referred to as a "Martian" destination.  It's basically an illegal destination address.
0
 
LVL 1

Author Comment

by:leblanc
Comment Utility
This is the TCP conversations and it is 120 bytes for each packet. Could it be a potential network performance problem? Thx
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 300 total points
Comment Utility
That would depend on how many packets there are.

What device are these packets coming from?  I would focus on that and eliminating them at the source.
0
 
LVL 2

Expert Comment

by:UnHeardOf
Comment Utility
You would see that when a client first connects to the network and tries to obtain a dhcp address. The client doesnt have an ip address yet so it would come up as 0.0.0.0 and the destination would be 255.255.255.255 ( broadcast  address ) in an attempt to find a dhcp server. What is the destination port that the 0.0.0.0 is trying to communicate to? The source port is random so you would be interested in the destination port.
0
 
LVL 1

Author Comment

by:leblanc
Comment Utility
I was thinking of DHCP. But the source is 192.168.1.120 and the destination is 0.0.0.0 on port 2001.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 300 total points
Comment Utility
UDP port 2001 is used by CAPTAN, a data acquisition and control protocol.

That is using 0.0.0.0 as a destination could indicate that the device sending out these packets hasn't been correctly configured.
0
NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

 
LVL 2

Accepted Solution

by:
UnHeardOf earned 200 total points
Comment Utility
What type of device is 192.168.1.120? Windows Client, Router, Switch, etc?
0
 
LVL 1

Author Comment

by:leblanc
Comment Utility
That is what I need to find out next week. I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
I thought that this type of traffic may be well known for an IP address going to a 0.0.0.0.

No.  0.0.0.0 is an illegal destination IP address.  The correct destination IP address would either be a unicast or a multicast address.
0
 
LVL 2

Assisted Solution

by:UnHeardOf
UnHeardOf earned 200 total points
Comment Utility
You can lookup the mac address of 192.168.1.120 to determine at least the vendor of the nic which may help in identifying the device.

http://www.coffer.com/mac_find/
0
 
LVL 1

Author Comment

by:leblanc
Comment Utility
Now this is interesting. It is a digital monitoring system. I looked that IP address in Wireshark under Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
0
 
LVL 2

Expert Comment

by:UnHeardOf
Comment Utility
A destination MAC address of ff:ff:ff:ff:ff:ff indicates a Broadcast. Remember though that only accounts for the MAC not the IP which is 0.0.0.0 not 255.255.255.255.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 300 total points
Comment Utility
Ethernet and 0.0.0.0 is a broadcast address ff:ff:ff:ff:ff:ff. Wonder why it is 0.0.0.0 and not 255.255.255.255.
Most likely the collector address is not correctly configured.  I've seen this behavior in other DAC equipment.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now