[Winpcap-users] My NIC is redirecting/replicating packetswhensniffing

Jim Young sysjhy at langate.gsu.edu
Thu Oct 30 03:53:46 GMT 2008


Hello Feliciano,

>>> Feliciano Chavez <chavezf at tutopia.com> 2008-10-29 20:44 >>>
> I tested today on another machines, and saw the same malfunction.
> My Toshiba Laptop runs Windows Vista Business English, SP1. 
> WinPcap 4.0.2 installed when installed Wireshark (I updated 
> Wireshark yesterday, but the problem have been happening 
> time ago, but I didn't realized the problem until now). NIC = RTL8101.
> Today, I installed the latest Wireshark on 6 IBM PC's, and 
> found the same replicating issue when sniffing (with Wireshark) 
> on them (copy of the packet received, but with their own MAC 
> instead of the original one). The IBM PC's are running either 
> Windows NT 2000 spanish or XP Professional (if you need the 
> exact info I can go back and check) . 
> The NPF service used for sniffing without administrator privileges 
> isn't activated.
> Ideas?

Regarding this problem, I've taken a look at the trace files you 
included with bug report # 3003 that you initially submitted to 
Wireshark Bug Database:

   https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3003 

I saw a couple of curious items in the first trace you attached.   

You reported that you have a linksys router at 192.168.14.1.  But if 
you look at the Wireshark's ethernet endpoints report, you actually 
appear to have two (2) devices with Cisco/Linksys mac addresses 
on your LAN segment (one at 192.168.14,1, the other at 
192.168.14.137). You also appear to have two hosts:

Cisco-Li_4b:a4:03	(00:1d:7e:4b:a4:03)	192.168.14.1
Cisco-Li_b6:f7:31	(00:18:39:b6:f7:31)	192.168.14.137
Grandstr_06:8a:80	(00:0b:82:06:8a:80)	192.168.14.109
QuantaCo_0b:10:74 (00:1e:68:0b:10:74)	192.168.14.111

The most curious thing to me is that there are ICMP redirect frames 
generated from your machine (00:1e:68:0b:10:74).  You can easily 
display these frames with the Wireshark display filter:

   icmp.type==5

In some ways it appears that this machine is actively attempting 
to get a copy of each packet sent on the segment.  I'm guessing
you are seeing two copies of each frame because the various 
systems first send the frame directly to your system's specific 
MAC address (in response to the ICMP redirects), then your 
system forwards a copy of the same frame but this time with 
the real destination MAC addresses.

The question is WHY your workstation would be sending these 
ICMP redirects?

If you are interested in knowing more about ICMP redirects you 
can check out the following:

When Are ICMP Redirects Sent?
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml 

ICMP Redirect Message
  http://en.wikipedia.org/wiki/ICMP_Redirect_Message 

Explanation of ICMP Redirect Behavior
  http://support.microsoft.com/kb/195686 

Here are some things to look at (in no particular order):

Are you running any type of VPN software on these machines?

Do you have multiple NIC cards installed and enabled in these
machines (i.e. wireless and wired)?  

Have you accidentally enabled bridging or some type of routing 
services on these machines?

Do you have any type of virtual machine software running on
these machines?

Is there any type of common third party application installed
on these machines (besides WinPcap/Wireshark)?

Answering yes to any of these questions may lead you to the 
source.

I hope you find this info useful.

Jim Y.




More information about the Winpcap-users mailing list