I'm running Wireshark in Windows inside a virtual machine. Wireshark keeps reporting network activity, even though I don't have anything running in there that's accessing the network.
3
-
1It depends, you’ll need to examine the ports, protocols, and packets to determine what the activity is. Start with the ports and protocols; that’s easiest. Is it TCP, UDP, ICMP? Is it a known port or an ephemeral port?– SynetechCommented Mar 5, 2011 at 5:02
-
They're mostly TCP with some UDP. All the local ports are ephemeral ports.– tony_sidCommented Mar 5, 2011 at 7:35
-
1. Wireshark should also show the higher-level protocol names (e.g. DNS, NBNS, ARP) along with every packet. Or does it just say "TCP" and nothing else? 2. Which direction are the packets travelling? 3. Do the addresses (IP, Ethernet) match the virtual machine's? There's a slight possibility that you could be seeing your host's or another VM's traffic. 4. Are both ports in the "ephemeral" range? If yes, P2P is a possibility. (I keep receiving BitTorrent traffic long after I close the client.)– grawity_u1686Commented Mar 5, 2011 at 19:18
Add a comment
|
2 Answers
Windows constantly broadcasts NetBIOS node information, just as OSX constantly broadcasts mDNS (Bonjour) information.
If you have an ethernet network and any hosts running IP, then you will see occasional ARP (Address Resolution Protocol) messages, even if you aren't actively using the network.
ARP is the protocol that hosts use to figure out which IP addresses match to ethernet addresses (MAC).
For example:
Host 1: Who has 192.168.1.2?
Host 2: I have 192.168.1.2 and my MAC is aa:bb:cc:dd:ee:ff
Now host 1 knows that any packet which has 192.168.1.2 as its destination can be sent in an ethernet packet that has aa:bb:cc:dd:ee:ff as its destination.
answered Mar 8, 2011 at 21:54
