The Official Wireshark Blog

Antivirus Outbreak

by Gerald Combs

Categories: Analysis Info

Wednesday, August 4, 8:00 AM đź”—

We receive a phone call from someone complaining about “Wireshark Antivirus”. I take the call. The person on the other end isn’t able to provide many details other than that a program named “Wireshark Antivirus” is displaying some a shield and directing him to the cacetech.com web site.

This is new. We’ve been on the receiving end of a few false positives in the past but this is new. Some jackass is using our name do do harm.

This will not end well.

Sharkfest ’10 Recap

by Gerald Combs

Categories: Infrastructure

Sharkfest ’10 ended a week ago today and I’m still reeling. The conference started with a keynote from Van Jacobson and ended with one from Harry Saal, two monumental figures in our industry and very nice people to boot. Attendees traveled from all over the globe, from large companies to single-person operations. The presentations were packed with information and it was great to see how experts tackle packet-level network monitoring and troubleshooting. If you missed out we’re getting the presentations online as fast as we can.

T-Mobile: Clever or Insane?

by Gerald Combs

Categories: Analysis
I recently got an Android phone. After downloading the Android SDK I noticed that my cellular provider (T-Mobile) was doing something odd. According to the netcfg command they’re using 25.0.0.0/8 on their GPRS/EDGE network: $ netcfg lo UP 127.0.0.1 255.0.0.0 0x00000049 dummy0 DOWN 0.0.0.0 0.0.0.0 0x00000082 rmnet0 UP 25.130.205.212 255.255.255.252 0x00001043 rmnet1 DOWN 0.0.0.0 0.0.0.0 0x00001002 rmnet2 DOWN 0.0.0.0 0.0.0.0 0x00001002 sit0 DOWN 0.0.0.0 0.0.0.0 0x00000080 ip6tnl0 DOWN 0.0.0.0 0.0.0.0 0x00000080 T-Mobile doesn’t own that netblock. The UK Ministry of Defence does. Why would they do such a thing? After all, RFC 1918 gives you three whole blocks (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) to do with as you please. Straying from those on your private will damn you to an eternity of network flakiness and give your twisted pair cabling scurvy, right? Why this is clever 🔗According to several BGP looking glasses and figure 5 of Geoff Huston’s IPv4 Address Report the Ministry of Defence doesn’t advertise any routes for 25.0.0.0/8. That means that none of the 25.x.x.x addresses are being used on the public Internet. If you’re on a private network they’re effectively free for the taking.