Wireshark mailing list archives

Re: Wireshark, Ubuntu, and mystery UDP packets

From: "netztier () bluewin ch" <netztier () bluewin ch>
Date: Wed, 8 Jun 2016 11:04:50 +0000 (GMT+00:00)

Hi all!
FWIW: 232.0.0.0/8 is the Source-Specific Multicast block.
http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml
Whatever system is meant to receive that stream can - within reason - be expected to support IGMPv3; else it might not
be able to subscribe to that stream properly. Might helpo with the research on the surrounding systems in your network.
Other thing that springs to mind:
Both Virtualbox and Wireshark capture start set the NIC to promiscuous mode, don't they? That's something that might be
in common between VBox and capture.
Depending on the network infrastructure you are connected to, the packets you capture might not even be your own. If
you have access to the LAN switchport counters, be sure to check if the sustained 6Mpbs stream is in- or outbound from
the switch port, and if it comes and goes with VBbox or capture being active or not, or if it is permanent.
Double-Check: Does the source MAC in the received frames match your NIC's address?
best regards
Marc
----Ursprüngliche Nachricht----
Von : stephanecharette () gmail com
Datum : 2016.06.04 - 03:51 (WEDT)
An : wireshark-users () wireshark org
Betreff : [Wireshark-users] Wireshark, Ubuntu, and mystery UDP packets
When I start Wireshark, all is fine. But when I start capturing, this creates a steady stream of UDP packets. As soon
as I stop the capture, the stream stops. I've never noticed this before.
The UDP stream is one directional, going to multicast address 232.9.3.115, port 6288. Each packet is 1328 or 1332
bytes of binary payload. The packets are sent at a steady rate of 5.3Mbps. The following options are disabled in
wireshark:
resolve mac address
resolve network names
resolve transport names
promiscuous mode
This is my normal local desktop, running 16.04, kernel 4.4.0.22-generic. Local, not a remote desktop. Wireshark is
installed from the normal Ubuntu repo:

dpkg -l | egrep "wireshark|pcap" | grep -v "rc  "

ii  libpcap0.8:amd64       1.7.4-2             amd64    system interface for user-level packet capture
ii  libwireshark-data      2.0.2+ga16e22e-1    all      network packet dissection library -- data files
ii  libwireshark6:amd64    2.0.2+ga16e22e-1    amd64    network packet dissection library -- shared library
ii  wireshark              2.0.2+ga16e22e-1    amd64    network traffic analyzer - meta-package
ii  wireshark-common       2.0.2+ga16e22e-1    amd64    network traffic analyzer - common files
ii  wireshark-qt           2.0.2+ga16e22e-1    amd64    network traffic analyzer - Qt version
I'm at a complete loss as to why starting a packet capture on my local desktop is causing this mystery stream of UDP 
packets.  I'm hoping someone can tell me either why, how to stop this, or can confirm the same strange behaviour.
Stéphane

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark, Ubuntu, and mystery UDP packets Stéphane Charette (Jun 03)
- Re: Wireshark, Ubuntu, and mystery UDP packets Jaap Keuter (Jun 04)
  - Re: Wireshark, Ubuntu, and mystery UDP packets Stéphane Charette (Jun 04)
- Re: Wireshark, Ubuntu, and mystery UDP packets netztier () bluewin ch (Jun 08)