LLMNR AAAA wpad & A wpad Entrys in Wireshark its Normal or an network issue





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I have questions on my wireshark result from today.



It is normally Windows conduct or is malware or something else on the machine ?



wireshark plain text output:



    Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0

No. Time Source Destination Protocol Length Info
4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>

Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
NetBIOS Name Service

No. Time Source Destination Protocol Length Info
5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460

Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0

No. Time Source Destination Protocol Length Info
6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad

Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)

No. Time Source Destination Protocol Length Info
7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad

Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)

No. Time Source Destination Protocol Length Info
8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad

Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
Link-local Multicast Name Resolution (query)

No. Time Source Destination Protocol Length Info
9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad









share|improve this question































    0















    I have questions on my wireshark result from today.



    It is normally Windows conduct or is malware or something else on the machine ?



    wireshark plain text output:



        Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
    Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
    Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
    Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0

    No. Time Source Destination Protocol Length Info
    4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>

    Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
    Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
    User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
    NetBIOS Name Service

    No. Time Source Destination Protocol Length Info
    5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460

    Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
    Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
    Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
    Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0

    No. Time Source Destination Protocol Length Info
    6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad

    Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
    Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
    Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
    User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
    Link-local Multicast Name Resolution (query)

    No. Time Source Destination Protocol Length Info
    7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad

    Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
    Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
    Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
    User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
    Link-local Multicast Name Resolution (query)

    No. Time Source Destination Protocol Length Info
    8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad

    Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
    Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
    User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
    Link-local Multicast Name Resolution (query)

    No. Time Source Destination Protocol Length Info
    9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad









    share|improve this question



























      0












      0








      0








      I have questions on my wireshark result from today.



      It is normally Windows conduct or is malware or something else on the machine ?



      wireshark plain text output:



          Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
      Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
      Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
      Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0

      No. Time Source Destination Protocol Length Info
      4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>

      Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
      Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
      User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
      NetBIOS Name Service

      No. Time Source Destination Protocol Length Info
      5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460

      Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
      Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
      Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
      Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0

      No. Time Source Destination Protocol Length Info
      6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad

      Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
      Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
      User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
      Link-local Multicast Name Resolution (query)

      No. Time Source Destination Protocol Length Info
      7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad

      Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
      Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
      User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
      Link-local Multicast Name Resolution (query)

      No. Time Source Destination Protocol Length Info
      8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad

      Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
      Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
      User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
      Link-local Multicast Name Resolution (query)

      No. Time Source Destination Protocol Length Info
      9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad









      share|improve this question
















      I have questions on my wireshark result from today.



      It is normally Windows conduct or is malware or something else on the machine ?



      wireshark plain text output:



          Frame 3: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
      Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
      Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
      Transmission Control Protocol, Src Port: 59762 (59762), Dst Port: 63065 (63065), Seq: 0, Len: 0

      No. Time Source Destination Protocol Length Info
      4 0.097359000 192.168.0.40 192.168.0.255 NBNS 92 Name query NB WPAD<00>

      Frame 4: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
      Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 192.168.0.255 (192.168.0.255)
      User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
      NetBIOS Name Service

      No. Time Source Destination Protocol Length Info
      5 0.109102000 192.168.0.56 192.168.0.40 TCP 58 59763 > 9268 [SYN] Seq=0 Win=1024 Len=0 MSS=1460

      Frame 5: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface 0
      Ethernet II, Src: HewlettP_57:cf:35 (c8:cb:b8:57:cf:35), Dst: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5)
      Internet Protocol Version 4, Src: 192.168.0.56 (192.168.0.56), Dst: 192.168.0.40 (192.168.0.40)
      Transmission Control Protocol, Src Port: 59763 (59763), Dst Port: 9268 (9268), Seq: 0, Len: 0

      No. Time Source Destination Protocol Length Info
      6 0.109763000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x30c2 AAAA wpad

      Frame 6: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
      Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
      User Datagram Protocol, Src Port: 57886 (57886), Dst Port: llmnr (5355)
      Link-local Multicast Name Resolution (query)

      No. Time Source Destination Protocol Length Info
      7 0.109777000 fe80::e9c8:ef0:d851:4841 ff02::1:3 LLMNR 84 Standard query 0x3db1 A wpad

      Frame 7: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv6mcast_00:01:00:03 (33:33:00:01:00:03)
      Internet Protocol Version 6, Src: fe80::e9c8:ef0:d851:4841 (fe80::e9c8:ef0:d851:4841), Dst: ff02::1:3 (ff02::1:3)
      User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
      Link-local Multicast Name Resolution (query)

      No. Time Source Destination Protocol Length Info
      8 0.109896000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x3db1 A wpad

      Frame 8: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
      Ethernet II, Src: d8:50:e6:d5:19:d5 (d8:50:e6:d5:19:d5), Dst: IPv4mcast_00:00:fc (01:00:5e:00:00:fc)
      Internet Protocol Version 4, Src: 192.168.0.40 (192.168.0.40), Dst: 224.0.0.252 (224.0.0.252)
      User Datagram Protocol, Src Port: 50687 (50687), Dst Port: llmnr (5355)
      Link-local Multicast Name Resolution (query)

      No. Time Source Destination Protocol Length Info
      9 0.110017000 192.168.0.40 224.0.0.252 LLMNR 64 Standard query 0x30c2 AAAA wpad






      networking internet-explorer






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 7 '16 at 5:29









      fixer1234

      19.5k145082




      19.5k145082










      asked Dec 4 '14 at 12:05









      AcsChristophAcsChristoph

      324




      324






















          1 Answer
          1






          active

          oldest

          votes


















          0














          This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.



          This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.



          I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.



          Hope This Helps!






          share|improve this answer
























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f848441%2fllmnr-aaaa-wpad-a-wpad-entrys-in-wireshark-its-normal-or-an-network-issue%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.



            This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.



            I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.



            Hope This Helps!






            share|improve this answer




























              0














              This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.



              This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.



              I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.



              Hope This Helps!






              share|improve this answer


























                0












                0








                0







                This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.



                This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.



                I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.



                Hope This Helps!






                share|improve this answer













                This is "normal" traffic, in that WPAD is a browser looking for a proxy via an auto-configuration script.



                This is a known security vulnerability, though - it is very easy for a Man-In-The-Middle attack to spoof an auto-configuration script, and become your proxy.



                I'd Google WPAD, and then either configure it through DHCP, or turn it off completely and set your proxy through other means.



                Hope This Helps!







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 6 '15 at 20:00









                Andy KauffmanAndy Kauffman

                1




                1






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f848441%2fllmnr-aaaa-wpad-a-wpad-entrys-in-wireshark-its-normal-or-an-network-issue%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Plaza Victoria

                    Puebla de Zaragoza

                    Musa