After starting to use Wireshark I noticed some odd behaviour

[WrinkledCheese]

Hello there,

I am new to using wireshark and I've been browsing around the packets it a bit. I figured I'd try and use it to cut into a protocol that isn't documented, that I can find, but doesn't seem particularly secure.

I tried cutting into a protocol and I turned _everything_ off, but wireshark was still picking up packets left right and centre. So I decided to stop the internet daemon and still, packets were being sent over the internet. So I decided to pick some of the IPs and do a reverse look-up. Each and every one of the IPs are of Russian origin or close. I'm under the impression that these are unwanted packets. I've also noticed that they are sending data from the same port: 32165. Another thing I noticed while doing reverse look-ups is a lot of these IPs are hit in 'Spam & Open Relay Blocking System' and 'Project Honey Pot' which seem to be spam blockers and trackers.

Can someone tell me what I should do or what I should investigate? The reverse look-ups are only providing me with the ISP which 'owns' the IP block the IP is apart of. They are from various ISPs every time.

Here is a list of the IPs:

Ukraine:
109.104.183.62
109.108.232.220
178.93.31.221
95.134.12.49

Belarus:
178.123.249.178
178.124.61.253

Russian Federation/Russia:
178.44.177.169
178.47.215.6
188.233.169.192
194.125.254.29
213.148.177.8
213.5.135.11
31.181.183.95
46.0.139.130
46.72.232.249
79.120.85.66
83.219.156.187
92.101.205.66
95.83.166.39

Kazakhstan:
178.89.144.229
95.58.3.59

China:
218.91.233.100

Great Britain:
90.200.182.178

Any ideas as to what I should do? The only thing that seems to stop them is physically unplugging my Ethernet cable.

[ehawk]

Hi,


Have you tried posting on the wireshark forum?

http://ask.wireshark.org/

or looking in this official wiki under "mysterious traffic"

http://wiki.wireshark.org/NetworkTroubleshooting