Menu
What's new
By:
Filters Better Search

ARP poisoning? ISP?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

Deepshark

New Around Here
Hello guys,

I was running some wireshark over my ethernet and I kept finding an ARP broadcast coming from an unknown mac address which is not connected to my router and is asking for IP addresses inside the gateway my router is connected to through PPPoE.
My gateway is 10.0.0.1

I am getting those ARP Broadcasts as well as a DCHP offer made from an IP starting with 100 that doesn't belong to my network.
I traced it and goes back to the ip pool of 10.0.0.1 if I didn't understand it wrong.

I am a bit paranoid. I think this is the ISP sending requests to my router because I replaced the ISP router with my own, and maybe they have setup some VLAN system or something.
But.... I would like to make sure, and if possible block this entirely.

Could you help me?
 

Attachments

  • wireshark.png
    wireshark.png
    119.9 KB · Views: 27
It looks like normal broadcast traffic on your ISP's local network to which your router is connected to.

Are you running Wireshark on a PC connected to your LAN? You might be able to stop those packets by setting WAN - Internet Connection > Special Requirement from ISP > Enable VPN + DHCP Connection to No.

P.S. You don't need to redact any of the information you did. None of it is sensitive. The only information that would need to be redacted is your router's public IP address.

P.P.S. Do you have a public IP address? It looks like your ISP might be giving out CG-NAT addresses (100.67.x.y) instead.
 
Last edited:
Yes, Wireshark is running on a PC connected to my LAN.
I will check how I can do this, I was trying to block this on my Asus Merlin but was unable to.

Thanks for the PS, just wanted to be careful as I am not an specialist in networking... I know the basics but this whole thing escapes my knowledge :)

I am not sure about having a public IP Address. It is, perhaps, a possibility.
The ISP in this country works quite different to other I have been into. There's no fiber at my home, my router is connecting through an ethernet entering my home which makes me believe there might be a common building-based ONT serving every other router.
 
ColinTaylor said:
P.P.S. Do you have a public IP address? It looks like your ISP might be giving out CG-NAT addresses (100.67.x.y) instead.
Click to expand...

That's a good catch - and the 10dots might be additional WAN traffic...

The 10.99.73.1 could be upstream - depends on how the WAN router is configured...

Anyways, not really enough info here to make a determination, but I think this is likely harmless traffic on the ARP side - it's just discovery for IP vs MAC addresses...
 
You must log in or register to reply here.

Similar threads

U
multiple entries using ‘arp-scan’ but not reflected in ‘arp’ command
Replies
3
Views
229
ColinTaylor
C
d5aqoep
WOL stops working after 15 min. ARP entries cleared randomly.
Replies
10
Views
585
d5aqoep
d5aqoep
C
Using 2 routers (no bridge), DDNS configuration not working
Replies
3
Views
492
ddaenen1
ddaenen1
I
arping script to fix WAN drops
Replies
10
Views
369
illogos
I
icanfly
DNS fails for local devices when there is no WAN!
Replies
2
Views
465
icanfly
icanfly
Similar threads
Thread starter Title Forum Replies Date
J ISP _ no aes/3 General Network Security 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 935 (members: 24, guests: 911)
Top