Basically in the from address field rather than showing a full ip address it’s just shown as 250. I assume this means 250.00.00.00.
Anyone know what this is?
I am curious as it some times requests the address of something that can’t be found, often clearly garbage. At other times it requests the address of some rather odd names. Also would you believe it requested the address of wireshark.org while I was using it.
Hi
What protocol, sounds like it may be a broadcast, multicast type event. Did you save the wireshark trace, can you grab a screen shot of the packet capture?
Agreed, it’d help to actually see what you are seeing. I do not have a
‘From’ field in Wireshark, though I have ‘Source’ in various headers (IP,
UDP, etc.) and if you really see ‘From’ instead then perhaps you’re
looking at a different layer, or are on a different version of the
application.
With that said, 250.x.x.x (if what is being represented… the hex
equivalent may be useful) is in the experimental range of IPs… it
doesn’t belong anywhere on your system, much less the Internet.
Good luck.
Source - from same to me. I do have a log. My main reason for firing up wireshark was to look at mdns for airprint. The from 250’s came as a surprise. Also since my son switched on his laptop all of the netbios dns calls. The ipod’s look to be well behaved.
Anyway sticking to the from 250’s, 0FFH is 255 so 250 will be 0FAH xxxxxx end 102 is my machine
This is a screen shot http://www.23hq.com/ajohnw/photo/13474039/original
Should be readable but if not click on it to see it full sized. mdns is unusually active. xx.xx.xx.102 is my machine.
Click on the row with 250 and then show the packet details with the layer
3/4/+ sections expanded. This should show a fair bit of information on
what is really happening. The view you have there is just the summary,
and isn’t that useful for troubleshooting or identifying details.
If you do not have the Packet Details pane, add it, probably under the
preferences/View section of Wireshark.
Good luck.
I should have taken a look at that myself.
Solved. After a fashion. It was so unexpected I didn’t think. Wireshark is resolving my routers name which it seems is 250.
I assume that the dns requests are coming from a browser. This probably explains why I find the net is slow when I have rather a lot of tabs on the go. Looks like a tab being out of the focus doesn’t stop it from doing what it wants to do.
I was hoping that is what Wireshark was showing, but before you attribute
slowness here or there keep in mind that the reason this “helpful” reverse
resolution was taking place is that you have Wireshark configured to do
the reverse lookup. In the Wireshark settings I typically turn off all
kinds of resolution for a couple of reasons:
Slow loading of stuff. Bleh… but this should only affect when
Wireshark is running, not when you happen to be browsing any other time
w/out Wireshark capturing or opening a previous capture file.
This thread. I.e. confusion over what is seen in Wireshark vs. what
is really on the wire. ‘250’ doesn’t exist anywhere in the packets, but
being helpful and pretty often hinders proper troubleshooting. Case in
point: everything microsoft ever created… lots of problems, lots of
hiding of details, lots of difficulty to troubleshoot.
Anyway, I’d recommend doing the same and disabling lookups/name resolution
in Wireshark but it’s a personal decision. Either way, your browser
shouldn’t be slow because of this setting, and I doubt your browser is
looking up your router’s name for any reason. Turning off IPv6 may help
with browsing speed (avoid AAAA lookups needlessly unless you can actually
handle IPv6 end-to-end from your location, which is possible, but not the
norm yet), as may fixing whatever is using mDNS in your environment, but
that’s also a guess, and a slightly-more wild one than the IPv6 bit. Be
sure you aren’t using any home DNS stuff ending in .local since that’s
reserved per RFC for mDNS which is usually not what you want to have
configured unless you really know you want it.
Good luck.
Think there is a bit of a misunderstanding on slow browser. Nothing to do with wireshark.
It isn’t all that unusual for me to have say 20 tabs open in a browser. These days most web pages communicate something or the other to some server over the net even after they are loaded. I haven’t used wireshark for a number of years and am surprised how much traffic 20 loaded web pages can generate.
I have just been looking around to see if there are any applications can track back to what processes are generating the traffic. Nearest is nethogs but it looks like it doesn’t track dns requests etc. Probably just tcp. Another application, iftop, seems to track all and shows but just shows the ports being used.
Since Firefox all runs under one main process you’re going to have a hard
time finding something that will tell you which tab is doing what…
otherwise you can get what you want to the process level using built-in
commands (ss, or the older netstat):
That should show you everything with :80 anywhere in the line, which will
probably have a majority of hits to things going to the web, though you’ll
probably want :443 a lot of the time too. Anyway, a problem you may have
with this is that DNS requests are both fast and, contributing to their
speed, happening primarily via UDP (so no “connection” to track).
If you want to see what your browser’s loaded tabs are doing grab Firebug
and you can use it to watch exactly what a page does when it is loading,
sitting idle, etc. Wonder what call is made when you move your mouse over
an area and something is pulled up dynamically? Yeah, it’s all there.
This may not lead directly to what is making DNS requests, but combining
this view with your wireshark stuff should give you a good picture.
Good luck.
Strictly speaking,
If you’re not trying to discover some unknown issue on your network but only want to understand what happens when you load webpages,
You shouldn’t be using Wireshark.
In your specific case, you only want a “trace” of what happens when you load specific pages,
And this is best done by simply running a debugging tool within your web browser.
On Firefox, the standard plugin is Firebug.
But, the best tool I’ve found is built into all Chrome family browsers (Chrome, Chromium, Canary, plus misc other browsers which use the same engine).
From within a Chrome family browser, press CTL-SHFT-J (a different kind of 3-finger salute).
You can explore all the different debugging tools that become available, but of special interest for what you’ve describing you should look at the “Network” tab which lists all the remote connections you’ve just made in a GANTT chart. In this tab as well as the console which is what you see initially, errors and various special issues with loading the page like the possible name resolution issues are listed.
So, this will quickly tell you whether the web page really is trying to resolve an odd name, when and possibly what component (eg an advertisement).
TSU
On 09/30/2013 03:26 PM, tsu2 wrote:
> On Firefox, the standard plugin is Firebug.
>
> But, the best tool I’ve found is built into all Chrome family browsers
> (Chrome, Chromium, Canary, plus misc other browsers which use the same
> engine).
> From within a Chrome family browser, press CTL-SHFT-J (a different kind
> of 3-finger salute).
>
> You can explore all the different debugging tools that become available,
> but of special interest for what you’ve describing you should look at
> the “Network” tab which lists all the remote connections you’ve just
> made in a GANTT chart. In this tab as well as the console which is what
> you see initially, errors and various special issues with loading the
> page like the possible name resolution issues are listed.
To me this gantt chart looks like the one that Firebug has under the ‘Net’
section of its little window too. I didn’t know about Ctrl+Shift+J in
Chromium/Chrome though… nice.
Good luck.
Now the 250 is out of the way my interest is curiosity now - other than which browser does least.
The 2 applications I mentioned can be useful along with wireshark
This is a log of activity using iftop. I chose this one with a smile on my face and it’s nothing to worry about, Opera just sitting there doing nothing and hadn’t for some time.
http://www.23hq.com/ajohnw/photo/13475042/original
the icy… address is a radio station - magic 105 streaming into VLC. If I didn’t know that I could probably track it down via the port usage. I assume linux has something to do that.
The opensuse forum links are self explanatory. The other addresses are what are used in some way or the other by numerous companies. In this case if one of the ip address is used with host in the console it will show them as NXDOMAIN which in this case means the don’t have a www. whatever address. One of the RIPE searches will search a number of databases. and 130.57.66.4 comes up with this
Search results
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Information related to '130.57.0.0 - 130.57.255.255'
inetnum: 130.57.0.0 - 130.57.255.255
org: NOVELL-1
netname: ATTACHMATE-INC
status: assignment
changed: unread@ripe.net 20000101
tech-c: DUMY-RIPE
source: ARIN-GRS
remarks: ****************************
remarks: * THIS OBJECT IS MODIFIED
remarks: * Please note that all data that is generally regarded as personal
remarks: * data has been removed from this object.
remarks: * To view the original object, please query the ARIN Database at:
remarks: * http://www.arin.net/
remarks: ****************************
% This query was served by the RIPE Database Query Service version 1.69 (WHOIS3)
Basically it’s in a block of unassigned ip address owned by Novell and in this case is being used sensibly. That isn’t always the case.
The other software I mentioned, nethogs would only show that VLC was using the web under the same circumstances as above as it only shows application use. It would also show Opera as Novell back this up as I type it and yet again when I post it.
:)Like I said curiosity really and on the side which browser looks the least offensive.