-1

Today, i did Wireshark network capture on a LAN, i've found a broadcast storm from a computer. The broadcast storm has stop but i would like to know why and what cause this broadcast storm.

Here is the informations : enter image description here

The point is that there is no ip range in 192.168.44.00 to our organisation. None of this ip respond to icmp request.

I kept sniffed the traffic and currently there is no more this broadcast. Beside, there is some other broadcast from computers to ip address in 192.168 but not in my ip range.

Any help to solve this issue is welcome. Thanks for your help.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
chaft
  • 1
  • 1

2 Answers2

1

You would need to get the MAC address and not the IP as a machine that is connected to the same networkbcould use another IP and still storm.

Find the MAC using Wireshark and look for it on the network. If you have an inventory or check on the switch (if you can) wich MAC is connected to which port and find the faulty machine.

yield
  • 731
  • 1
  • 8
  • 24
  • I have the mac adress, i know which computer is. But i can't get the mac address it goes to. I can only get the ip address destination. – chaft Aug 16 '22 at 12:47
  • None of the application on the computer should use ip addresse like 192.168.44.75(76)(77) ect ... – chaft Aug 16 '22 at 12:55
  • Check the computer ARP table, you should find the destination IP along it's MAC address. Sorry, Idon't know on which OS you are. Search for ARP command, it is pretty straight forward – yield Aug 16 '22 at 13:01
  • I've already did it. The ip address on 192.168.44 doesn't appear in the arp table. The computers are on Windows. – chaft Aug 16 '22 at 13:15
1

Check the computer at the IP 192.168.5.1 it's him that asked those ARP request.

You don't have to care about that range that don't exist, as it's possibly just a scan, but it can be a lot of reason; virus, a software pre-built to be in the range 192.168.44.x's range (like security camera that use a lot udp/broadcast), etc...

In larger network you can see like 40k/broadcast per second, it's not so uncommon by the way.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • I was on the computer to check the arp table, nothing in 192.168.44.X, with have no ip range in 192.168.44.X. The ip in 192.168.44.X doesn't repond to ping. As you say it can be a virus, i need to get sure of that. How can i know which application make this request ? – chaft Aug 16 '22 at 16:10
  • @chaft You miss my point; the packet told, Who as 192.168.44.X ? Tell 192.168.5.1. 192.168.5.1 did the broacast there for all those IP in the range 44.X, but nothing answered, of course as you have no IP configured into that range. – yagmoth555 Aug 16 '22 at 16:13
  • 1
    @chaft Who know, maybe a tech tried to scan 192.168.4.X, but entered a 44 instead, so it can be a lot of cause possible, but one fact exist, it was done on 192.168.5.1 – yagmoth555 Aug 16 '22 at 16:16
  • 1
    Actually to add a bit of paranoia, if such system in 192.168.44.* did answer, it would have been an unicast answer (contrary to the query which is a broadcast): only the involved switch(s) or the querying system would be able to capture it, not an other system (probably like OP's) in the same LAN. (unless there's a hub instead of a switch but it's 2022) – A.B Aug 17 '22 at 12:13