04-13-2016 01:48 PM - edited 02-21-2020 08:46 PM
Hi friends,
I would like to ask about your opinions.
Looking at a NHRP Traffic Indication packet in the NHRP Authentication Extension section -> Extension Data sub section I can see there is a Source Address field and as a value there is always 99.105.115.99.
Please, see the attached screenshot.
Could anybody give any idea what this source address is and why there is always one and the same value and what this value means.
Thanks!
Best regards,
Yavor
Solved! Go to Solution.
04-13-2016 03:37 PM
Ahh :) Well good job resolving your own problem! Also, thank you for taking the time to come back and post the solution here. (+5 from me).
Now, since your issue is resolved, you should mark the thread as "answered" ;)
04-13-2016 02:12 PM
Do you have a diagram that shows your DMVPN setup? Could that IP be the headend's overlay IP? :)
Thank you for rating helpful posts!
04-13-2016 02:29 PM
Hi Neno,
Thank you for your reply!
I've configured the DMVPN in my lab environmrnt.
Please, find the diagram as an attached file.
The DMVPN works between R1, R2, R3 and R4. R1 is the NHS.
This address is not owned by any of the devices at all. That was why I was surprised by it.
With my best regards,
Yavor
04-13-2016 03:17 PM
I've just found the answer :-)
It was a kind of misinterpretation done by Wireshark.
When looked at the hex pane I found that the hex value of that IP was "63 69 73 63".
After decoding the hex to text it became clear that it was a part of the string "63 69 73 63 6f" misinterpreted by Wireshark as an IP address. That was why it was one and the same in every packet.
63 69 73 63 6f -> cisco :-)
Please, see the attached files.
Best regards,
Yavor
04-13-2016 03:37 PM
Ahh :) Well good job resolving your own problem! Also, thank you for taking the time to come back and post the solution here. (+5 from me).
Now, since your issue is resolved, you should mark the thread as "answered" ;)
04-13-2016 03:49 PM
Neno,
Thank you for your prompt answers and readiness to help as well as for the 5s!
During the examination of the packets it was really weird to see such an unknown IP address in my flows :-)
That's why I asked the friends here.
Thanks once again!
Best regards,
Yavor
04-13-2016 04:21 PM
No problem and it is a good thing that you are paying attention to such scenarios. You never know where an attack might be coming from :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: