Unassigned LAN address keeps pinging the broadcast address



  • I have an address (192.168.1.149) that continually pings 192.168.1.255. The address is not assigned nor does it show up on the ARP table. This address is outside the DCHP range so I would have to manually assign it. Sorry if this is the wrong board. Any help is appreciated.

    Thanks



  • Help to do what - identify the traffic? find the system so you can shut it down?

    "ping" means repeatedly sends SOMETHING or ping as in ICMP echo request such as generated by ping command?

    What is the subnet mask on your network? It is not clear if the traffic is a subnet broadcast or directed at a specific system. The title says broadcast address but that could mean MAC broadcast address.



  • Help to do what - identify the traffic? find the system so you can shut it down?

    I can ping the address (192.168.1.149) from the firewall but this is outside the DCHP range which is 192.168.1.2-192.168.1.99. I am not sure how this address is valid. Again, this address would have to be statically assigned. Yes. I need some help finding this system.

    "ping" means repeatedly sends SOMETHING or ping as in ICMP echo request such as generated by ping command?
    **Here is the wireshark output. These echo requests will continue to be captured as long as wireshark is actively running.

    2 0.050071000 192.168.1.149 192.168.1.255 ICMP 98 Echo (ping) request  id=0x093c, seq=3653/17678, ttl=64**

    What is the subnet mask on your network? It is not clear if the traffic is a subnet broadcast or directed at a specific system. The title says broadcast address but that could mean MAC broadcast address.

    Subnet mask = 255.255.255.0.

    Thanks



  • C>ping 192.168.1.149    Does it respond to pings?  If yes-

    C:>ping -t 192.168.1.149

    Unplug patchcords from your switch until the pings stop responding.  Follow that line.

    Have an access point?  Maybe someone figured out your pass…

    How many users on your network?

    Little more info...



  • Ping it, and check your ARP cache (run "arp -a", whether Windows, OS X, BSD, Linux). Put the first 6 characters in here
    http://www.coffer.com/mac_find/
    and you'll find the vendor of the NIC (assuming someone hasn't changed it). The MAC will show up there whether or not it responds to pings if it's actively on the network.

    It's a valid IP because it's within your subnet, outside the DHCP range doesn't make it invalid. Why it's pinging the broadcast address is another question, that's unusual behavior, you'll have to find what it is first. If you have a managed switch you can take that MAC and figure out what port it's plugged into and track it down from there. Otherwise you'll have to do as others suggested, unplug cables one by one and see when it stops, then trace the cables back.

    May also want to run "nmap -O 192.168.1.149" from a system with nmap installed, which will use its OS detection to possibly give you a better idea of what it is.



  • Thanks guys. It was an AP.


Log in to reply