Wireshark-users: Re: [Wireshark-users] Odd packets

From: Ove Fagerheim <ove.fagerheim@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Aug 2006 14:44:55 +0200
Sorry 'bout the lack of info, just didn't want to be too lengthy in my first

I have two hosts, one with the ethereal, one ip phone and a Cisco plugged
into an 8 port 3Com hub. The Cisco has a VPN configured, that is the target
for all traffic. The Cisco then is plunged into an adsl network. The VPN is
connected to our corporate network.
As you say, the packets from the ethereal host shows up fine. But, if I,
from the other host, telnet a remote host (on the corporate net), say telnet
from ->, I get these entries in Ethereal:

Source:, Dest type: ICMP Echo Request with 10 bytes of

Source:, Dest type: ICMP Echo Request with 10 bytes of

If I do a telnet from the ethereal host, the packets shows up correctly.

The same goes for all packets from the ip phone. They all shows up as ping
packets, although the phone does a successfull tftp download at startup.

I can see all broadcasts and non ip protocols normally, seems it's just ip
that is suffering.

Unfortunately I don't have enough practice with ethereal to see clearly
what's going on here.

Thank's for answering

-----Opprinnelig melding-----
Fra: Joerg Mayer [mailto:jmayer@xxxxxxxxx] 
Sendt: 10. august 2006 13:02
Til: Community support list for Wireshark
Emne: Re: [Wireshark-users] Odd packets

On Wed, Aug 09, 2006 at 11:13:40AM +0200, Ove Fagerheim wrote:
> Looking at the traffic behind a Cisco 1841, I can see the packet from the
> Wireshark host fine. All other packets appears as icmp echo request
> and a source address  of

I'm not sure I have all the information to understand what a) your setup
and b) your problem is. 
So there is a network, then there is a Cisco1841 and then there is the
host that you use to capture. Wireshark only sees the traffic from and
to that host, and in addition to that, you see ping requests with a
sender address of If that is the case, than I think that it
is normal. If you see no other packets at all (no broadcast or multicast
packets) then I'm wondering what is going on. it's still interesting,
that you see ping packets with source localhost. It looks like some
virus infected host is pinging you with a faked sender address.


Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
Wireshark-users mailing list