# [SOLVED] Trying to learn to read Wire Shark



## Leo G (Mar 8, 2011)

Was watching Wire Shark processing my LAN card while I'm on FireFox and noticed some IPs that kinda struck me as strange [78.46.33.133].

If I just do nothing and watch it process I can see the handshakes with the router and then I see an encrypted handshake with an IP that I don't understand why it's talking to.

2042	851.659017	192.168.1.xxx	78.46.33.133	TCP	54	vfo > https [ACK] Seq=1 Ack=1 Win=17520 Len=0
2043	851.679277	192.168.xx.xxx	78.46.33.133	TLSv1	258	Client Hello
2044	851.793198	78.46.33.133	192.168.xx.xxx	TCP	54	https > vfo [ACK] Seq=1 Ack=205 Win=6432 Len=0
2045	851.801889	78.46.33.133	192.168.xx.xxx	TLSv1	1514	Server Hello
2046	851.802165	78.46.33.133	192.168.xx.xxx	TCP	1514	[TCP segment of a reassembled PDU]
2047	851.802207	192.168.xx.xxx	78.46.33.133	TCP	54	vfo > https [ACK] Seq=205 Ack=2921 Win=14600 Len=0
2048	851.802346	78.46.33.133	192.168.xx.xxx	TLSv1	727	Certificate, Server Key Exchange, Server Hello Done
2049	851.809414	192.168.xx.xxx	78.46.33.133	TCP	54	vfo > https [ACK] Seq=205 Ack=3594 Win=17520 Len=0
2050	851.843228	192.168.xx.xxx	78.46.33.133	TLSv1	188	Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
2051	851.960241	78.46.33.133	192.168.xx.xxx	TLSv1	304	Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message
2052	851.972159	192.168.xx.xxx	78.46.33.133	TLSv1	624	Application Data, Application Data
2053	852.091603	78.46.33.133	192.168.xx.xxx	TLSv1	587	Application Data
2054	852.092160	78.46.33.133	192.168.xx.xxx	TCP	54	https > vfo [FIN, ACK] Seq=4377 Ack=909 Win=9120 Len=0
2055	852.092193	192.168.xx.xxx	78.46.33.133	TCP	54	vfo > https [ACK] Seq=909 Ack=4378 Win=16737 Len=0
2056	852.118826	192.168.xx.xxx	78.46.33.133	TLSv1	91	Encrypted Alert
2057	852.118879	192.168.xx.xxx	78.46.33.133	TCP	54	vfo > https [FIN, ACK] Seq=946 Ack=4378 Win=16737 Len=0
2058	852.236771	78.46.33.133	192.168.xx.xxx	TCP	54	https > vfo [ACK] Seq=4378 Ack=947 Win=9083 Len=0

I do a TRACERT of the IP and it leads me to a site in Germany.



Tracing route to static.133.33.46.78.clients.your-server.de [78.46.33.133]

over a maximum of 30 hops:



1 4 ms 9 ms 9 ms xxx.xxx.xx.x 

2 18 ms 29 ms 21 ms 10.4.8.1 

3 16 ms 25 ms 16 ms ip98-190-163-106.ri.ri.cox.net [98.190.163.106] 

4 19 ms 11 ms 29 ms ip98-190-161-80.ri.ri.cox.net [98.190.161.80] 

5 18 ms 19 ms 21 ms ip98-190-33-34.ri.ri.cox.net [98.190.33.34] 

6 16 ms 19 ms 20 ms provdsrj02-ae3.0.rd.ri.cox.net [98.190.33.26] 

7 21 ms 19 ms 35 ms 68.1.5.161 

8 33 ms 25 ms 30 ms nyk-s2-rou-1001.US.eurorings.net [134.222.248.13] 

9 118 ms 120 ms 118 ms nntr-s1-rou-1101.FR.eurorings.net [134.222.226.162] 

10 113 ms 119 ms 117 ms kehl-s2-rou-1103.DE.eurorings.net [134.222.227.121] 

11 112 ms 107 ms 110 ms ffm-s1-rou-1102.DE.eurorings.net [134.222.227.177] 

12 122 ms 121 ms 122 ms nbg-s1-rou-1001.DE.eurorings.net [134.222.227.118] 

13 116 ms 119 ms 119 ms kpn-gw.hetzner.de [134.222.107.21] 

14 121 ms 116 ms 120 ms hos-bb2.juniper2.rz10.hetzner.de [213.239.240.141] 

15 129 ms 117 ms 122 ms hos-tr3.ex3k9.rz10.hetzner.de [213.239.227.202] 

16 228 ms 119 ms 116 ms static.133.33.46.78.clients.your-server.de [78.46.33.133] 



Trace complete.


What is this IP? And why is my computer connecting to it?:hide:


----------



## Basementgeek (Feb 7, 2005)

*Re: Trying to learn to read Wire Shark*

I see that you have posted the same question at Daniweb also yesterday:

Trying to figure out what Wire Shark is telling me about this IP address. | DaniWeb

Maybe your ISP, Cox, is using it. The info I come up with maybe is
MaxMind.com. Calling your ISP and ask them , would be a start.

BG


----------



## Leo G (Mar 8, 2011)

*Re: Trying to learn to read Wire Shark*

You following me around BG LOL

I posted it in another forum beside DaniWeb too, none have been able to help. I did my own research off a hunch and it proved to be correct. Since it was only happening in FireFox I thought maybe it might have to do with my Add Ons. So I turned them all off and the issue went away.

I turned them on one by one and the problem started up again when I activated the Add On ShowIP 2.0. 

I did some research into it but couldn't find much beyond version 1.4. But it did say that it was leaking information to a 3rd party site in Germany. It has been removed from my computer and replaced with FlagFox.

Here is the article that I was able to find.

Privacy concerns over popular ShowIP Firefox add-on | Naked Security


----------



## Masterchiefxx17 (Feb 27, 2010)

Addons are never a good idea.


----------



## Leo G (Mar 8, 2011)

I have a couple I consider essential to my browsing pleasure. Ad Block, No Script and Ghostery. I would hate to have to be without them.


----------



## Basementgeek (Feb 7, 2005)

Not following you around, it is called researching the question.

Been nice to know you were using FF.

BG


----------



## Leo G (Mar 8, 2011)

Basementgeek said:


> Not following you around, it is called researching the question.
> 
> Been nice to know you were using FF.
> 
> BG


1st sentence



> Was watching Wire Shark processing my LAN card while I'm on FireFox and noticed some IPs that kinda struck me as strange [78.46.33.133].


----------



## Basementgeek (Feb 7, 2005)

I stand corrected.

BG


----------

