Packet decoding - Need expert's help

codeace

Hello everyone!

I found some incoming network activity on my wireless lan, but there were no outgoing packets. I appreciate if someone can find if this is strange. When such activities happen on my network, it only adds to my insecurity. Below is a description of things.

> Network: Wi-fi n/w with 10 other hosts connected to it.

> My system: Ubuntu Lucid 10.04 (All updates/patches installed)

> Fired-up etherape, but didn't show any activity on my LAN IP. But I was able to see the incoming packets on the gnome-system-monitor. Realized it can't be ping as there was no outgoing packets either.

> Fired-up wireshark, found a lot bunch of received packets on my wlan0 interface and started capturing traffic (Enabled MAC resolution). I found most of the activity on the ethernet layer between the router (buffalo) and devices called "Azurewav" & "HonHai". Again realized that the former one could be the MS touted cloud platform and the later one associated with Apple/Foxconn.


> At one point, I even tried closing all browsers/apps/services (one-at-a-time) to find who the culprit was. (I understand it is the worse thing to do from an analysis POV, but it was my last resort)

> Looking into the Wireshark info section of each packet, there were some related to HP printer and Texas Instr. commands. I don't have much understanding of packet level inspection. As I type this, the wlan continues to receiving those same set of repetitive packets over and over again. So, I would be thankful if someone can look into this and help me understand this.

> Wireshark **** link here (pass: techexams.net). I don't know if there is any sensitive info on this. If you know there is, please let know and I will have this link deleted.

Is this regular Windows discovery? or an infected device on the n/w attacking others? Help please.

UPDATE: EtherApe detected a connection to a strange IP 239.192.152.143. Whois returned saying it is an IP reserved by IANA. Not sure if it helps.

docrice

The trace spans over only 50 seconds. The general timestamp is a little after midnight. Do you expect a lot of traffic around this time within each minute? I do see some typical SSDP and mDNS stuff in there.

There's one host that's doing both IPv4 and IPv6 based on the hardware address (1c:4b:d6:74:fb:9f). The router (with the 00:24:a5:42:2e:a4 MAC address) seems to be sending out all this LLC traffic, if that's what you're concerned about. I don't know much about Buffalo devices, but I generally don't see that kind of traffic in my networks for sure. Perhaps the router's misconfigured?

I apologize if I misinterpreted what you're asking for. It's late over here.

codeace

Sorry, in my last post I was talking Azurewav without reference etc.. It actually had wireshark's MAC resolution enabled for capture. Device 1c:4b:d6:74:fb:9f resolved to "Azurewav". Kindly skip the "HonHai" as I filtered that device.

Yes, the **** is only around 50 secs long. I keep monitoring my network but never did I see such strange traffic. But ~2megs for 50 secs at late night seemed definitely abnormal. That is what raised doubts on possible attacks. Going over the router (buffalo) settings, I remembered setting the MAC filter and assigning a static IP for each host on the n/w. Looking up the table, showed that it was one of my friends living next door.

Last time it seemed like he had a HP printer hooked up to his Win 7 PC. Connecting the "Azure" name and the recent slew of HP printers with cloud print support is raising some suspicion! Like you mentioned from the list of protocols involved, they seem to be of LLC, 0x05ec, MDNS and SSDP. Do you know if they could correspond to an attack or any pointers to what these packets mean?

Moreover it is interesting to know that they all originate from the router. This helps me understand that there is some config problem with the router. It has the factory firmware. Can you tell me if it is worth flashing and getting the DD-WRT on to it. Buffalo WHR-HP-G54 ref Supported Devices - DD-WRT Wiki


Side note (Irrelevant): It was pretty interesting to about read your ESXi Network-in-a-box on your blog and have a question related to it. The ESXi in my lab has one vSwitch and 10 hosts on it. I would like to split them into 2 different networks, one with 172.16.10.0/24 and another one with 192.168.10.0/24, to put 5 hosts on each network and essentially allow any host in one network to talk to hosts in both it's own network and the other network. I couldn't seem to find a way to do this without creating 2 vSwitches and connecting them through physical wires. Do you know if this is possible?

I am very much humbled by your instant reply

tiersten

codeace wrote: »

I found most of the activity on the ethernet layer between the router (buffalo) and devices called "Azurewav" & "HonHai". Again realized that the former one could be the MS touted cloud platform and the later one associated with Apple/Foxconn.

If you want to assign MAC addresses to your hardware then you need to purchase a block of addresses from the registrar the IEEE. All you're seeing is that a company called Azurewave purchased some addresses for some device and you've got a device somewhere on your LAN that has Azurewave components or is made/designed by Azurewave. It doesn't mean the Azure cloud platform by Microsoft. Same again for HonHai which is just the other name for Foxconn who are contract manufacturers for pretty much everything.

codeace wrote: »

UPDATE: EtherApe detected a connection to a strange IP 239.192.152.143. Whois returned saying it is an IP reserved by IANA. Not sure if it helps.

Its a multicast IP address and would be internal to your LAN as pretty much every home ISP on the planet doesn't do proper multicast.

codeace wrote: »

That is what raised doubts on possible attacks.

Its all within your LAN so not an external attack. If it is an attack then it'd be internal between devices so go slap your friend if it is one of their devices involved.

The Azurewave device has the IP address 192.168.1.13 and it is talking to something which I assume has 192.168.1.11 as it is doing ARP for that IP as well.

codeace wrote: »

Connecting the "Azure" name and the recent slew of HP printers with cloud print support is raising some suspicion!

No.

codeace wrote: »

Like you mentioned from the list of protocols involved, they seem to be of LLC, 0x05ec, MDNS and SSDP. Do you know if they could correspond to an attack or any pointers to what these packets mean?

The LLC frames are misidentified by Wireshark as the frames don't conform to standards. It isn't LLC and its not using JetDirect, VINES, NetWare or any of the other SAPs it thinks it sees.
0x05EC means it is just pure data as less then 0x0600 means it is a length field and not a type field. Its the same type of payload as the "LLC" frames you're seeing.
mDNS is just device discovery e.g. Bonjour. Many devices use it. Ignore it.
SSDP is yet more device discovery. Many devices use it. Ignore it.

codeace wrote: »

Moreover it is interesting to know that they all originate from the router. This helps me understand that there is some config problem with the router.

You sure that it is a router? Buffalo make more than just routers. They've got a whole range of network cards and dongles for one thing. Go check the MAC address. I doubt it is a router just based on what it is doing.

As for what that data is, I've no idea. You'll have to provide more information on what those two devices are. It isn't an attack if thats what you're worried about.

Azurewave make digital TV devices and network chipsets. HonHai/Foxconn make everything. Buffalo make lots of varied devices. All three may not actually be branded as their respective names and may be something else. If you used a numbering scheme then both devices are probably something your friend is running and its just talking between themselves whilst periodically broadcasting within your LAN to see if any other devices are around.

Judging by the amount of data involved, it is doing streaming to/from something. Go check for NAS boxes, TVs, DVRs and video streamers. The wireless dongles that you buy for TVs are generally a rebranded version of a normal wireless dongle so check those for Buffalo and Azurewave MACs.

sidsanders

i like this tool for wireless scanning: Kismet

has some nice alert features if you want to test it out. it can capture traffic that you can then use wireshark to look at as well.

codeace

Judging by the amount of data involved, it is doing streaming to/from something. Go check for NAS boxes, TVs, DVRs and video streamers. The wireless dongles that you buy for TVs are generally a rebranded version of a normal wireless dongle so check those for Buffalo and Azurewave MACs.

Sir, you are so right! It was an Apple TV connected to my friend's laptop which had the Azurewave g/n wi-fi card talking to the Buffalo g router. Nevertheless he deserves a slap

Thank you for your time and patience in answering a noob like me. I learned quiet a lot from this experience (especially not to believe the wireshark info always).

docrice

codeace wrote: »

Side note (Irrelevant): It was pretty interesting to about read your ESXi Network-in-a-box on your blog and have a question related to it. The ESXi in my lab has one vSwitch and 10 hosts on it. I would like to split them into 2 different networks, one with 172.16.10.0/24 and another one with 192.168.10.0/24, to put 5 hosts on each network and essentially allow any host in one network to talk to hosts in both it's own network and the other network. I couldn't seem to find a way to do this without creating 2 vSwitches and connecting them through physical wires. Do you know if this is possible?

You're talking about routing between subnets, something vSwitches won't do. You'll have to set up a VM host as a router (Linux or BSD set for IP forwarding, for example) that has a virtual interface connected to each vSwitch.

Optionally, you could set up port groups for each subnet on the vSwitch which identify their VLAN ID and then connect the ESXi host's physical interface (which is mapped to the vSwitch, assuming you have more than one interface on your ESXi server) to a physical switch's trunk port (and assuming the switch has a physical router connected to it).

A third option is to implement a router-on-a-stick design and have the ESXi's physical interface trunk up to a physical router's interface that's capable of configuring sub-interfaces (I'm referencing Cisco IOS here, although I assume other makes such as Juniper would do something similar).

codeace

@sidsanders

Using Kis[met|MAC] doesn't solve the issue, although I've used it to get a great deal of info on the wi-fi n/ws.

docrice wrote: »

You're talking about routing between subnets, something vSwitches won't do. You'll have to set up a VM host as a router (Linux or BSD set for IP forwarding, for example) that has a virtual interface connected to each vSwitch.

That's what I will need. All virtual. Really wish they had a virtual connector as in vSwitch0

---

> vConnector (Router)

---

> vSwitch1.

Thanks docrice!

tiersten

codeace wrote: »

That's what I will need. All virtual. Really wish they had a virtual connector as in vSwitch0

---

> vConnector (Router)

---

> vSwitch1.

Its called Nexus 1000V.

docrice

tiersten wrote: »

Its called Nexus 1000V.

Thanks for this. I didn't know about this product and will have to look into it.

tiersten

docrice wrote: »

Thanks for this. I didn't know about this product and will have to look into it.

60 day trial available.

Its actually a L2 switch but with some L3 and L4 features so probably not quite what codeace wants. The main part of it is actually a replacement for the vSwitch and actually inserts itself as a module into the ESX kernel. Its all managed by a VM.

codeace

tiersten wrote: »

Its called Nexus 1000V.

Interesting. Thanks!

tiersten wrote: »

The main part of it is actually a replacement for the vSwitch and actually inserts itself as a module into the ESX kernel. Its all managed by a VM.

That is one awesome feature to have. Actually it has more than what I want. Must ask ppl above me to try and buy this.