tcpdump help

casperdaghost · 04-30-2013, 10:05 PM

I did a tcpdump of my wireless network. I have no idea of where this ip 169.254.1.35 is from- how do i begin to find out the source of this IP?

Code:

casper@casper-laptop:~$ sudo tcpdump -A -n -i wlan1 host 169.254.1.35

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan1, link-type EN10MB (Ethernet), capture size 96 bytes
22:42:26.081614 IP 169.254.1.35.7500 > 169.254.1.255.7500: isakmp:
E..@sQ..@..=...#.....L.L.,.o.......'.........LH(...#$...........
22:42:26.602482 IP 169.254.1.35.21302 > 255.255.255.255.21302: UDP, length 1133
E...W...@.s....#....S6S6.u.5<HmaNetConfig>
 <MsgFmtRev>3</MsgFmtRev>
 <Msg
22:42:30.689500 IP 169.254.1.35.62905 > 169.254.1.255.5000: UDP, length 12
E..(:d..@..B...#..........k.CMD...............

casperdaghost · 04-30-2013, 10:29 PM

wait...i think this i a link local address used in address assignment when there is no dhcp.

I just don't know why it keeps pinging each other. I guess there is no leasing.

unSpawn · 05-01-2013, 01:33 AM

Set full payload saving with "-s0" and write the packets to a file with "-w /path/to/file". When done run the saved "/path/to/file" through Wireshark or any other comprehensive network traffic analysis tool and find out what this (XML-like) it's payload is about.