LLMNR AAAA wpad & A wpad Entrys in Wireshark its Normal or an network issue
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have questions on my wireshark result from today.
It is normally Windows conduct or is malware or something else on the machine ?
wireshark plain text output:
Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>
Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
NetBIOS Name Service
No. Time Source Destination Protocol Length Info
5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad
Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad
Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad
Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad
networking internet-explorer
add a comment |
I have questions on my wireshark result from today.
It is normally Windows conduct or is malware or something else on the machine ?
wireshark plain text output:
Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>
Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
NetBIOS Name Service
No. Time Source Destination Protocol Length Info
5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad
Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad
Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad
Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad
networking internet-explorer
add a comment |
I have questions on my wireshark result from today.
It is normally Windows conduct or is malware or something else on the machine ?
wireshark plain text output:
Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>
Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
NetBIOS Name Service
No. Time Source Destination Protocol Length Info
5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad
Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad
Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad
Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad
networking internet-explorer
I have questions on my wireshark result from today.
It is normally Windows conduct or is malware or something else on the machine ?
wireshark plain text output:
Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>
Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
NetBIOS Name Service
No. Time Source Destination Protocol Length Info
5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad
Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad
Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad
Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)
No. Time Source Destination Protocol Length Info
9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad
networking internet-explorer
networking internet-explorer
edited Mar 7 '16 at 5:29
fixer1234
19.5k145082
19.5k145082
asked Dec 4 '14 at 12:05
AcsChristophAcsChristoph
324
324
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.
This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.
I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.
Hope This Helps!
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f848441%2fllmnr-aaaa-wpad-a-wpad-entrys-in-wireshark-its-normal-or-an-network-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.
This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.
I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.
Hope This Helps!
add a comment |
This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.
This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.
I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.
Hope This Helps!
add a comment |
This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.
This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.
I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.
Hope This Helps!
This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.
This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.
I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.
Hope This Helps!
answered Nov 6 '15 at 20:00
Andy KauffmanAndy Kauffman
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f848441%2fllmnr-aaaa-wpad-a-wpad-entrys-in-wireshark-its-normal-or-an-network-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown