![]() The inconsistent timers can hit you quite hard if a system has more than one NIC. So the filter _ipv4 = 169.254.0.0/16 should result in an empty packet list. If a system did not get an IP address it will likely use a random address from the network 169.254.0.0/16. You can easily spot a misconfigured address mask with arp and not (_ipv4 = 10.1.1.0/24 and _ipv4 = 10.1.1.0/24) This filter should not deliver any packets. Say, you are analyzing a network segment where all systems should belong to the subnet 10.1.1.0/24. Wireshark helps in answering some of these questions. Is a system sending out unsolicited ARP responses?.Are the ARP cache timers consistent with the switches MAC address table?.Did all systems get a proper IP address from the DHCP server, or is a system using APIPA addresses?. ![]()
0 Comments
Leave a Reply. |