keep getting loads of packets addressed to127.0.0.1

[m25man]

just done my first capture but cant make head nor tail of it i have attached the file can any one make sense of this??

I couldn't read it, what did you save it as?

[mac_shinobi]

prolly a daft thought so appologies in advance to the OP and everyone else

You haven't setup or configured a web server anywhere have you ie IIS or apache ??

That or a duff / dead network card ??

[mattx]

Just had a quick look..... Lots of ARP requests......
Also frame 178 has me a little confused. Is that a switch looking for 127.0.0.1 ? As it's pointing to another switch which states it's the same address ? It's as if they are fighting it out between themselves.
Also Sophos is looking for something on a different subnet !!

[mhchs]

i have several iis servers running different web apps. i also have got vmware

[mattx]

Need someone else to back me up but I would look at the configs of the two switches - Netgear ? [ if they are switches ] of frames 178 & 160 - [ the mac addresses are in the capture file ]

[mhchs]

hi i missed that when i looked at it the first time round. nice one i have looked at it again and tracked the device it is a WAP. i went and killed the wap and the switch that its connected to i then run a second scan [ the one attached] i then checked through the logs and noticed it appearing on the next wap in the area and the one next to that and the one next to that...and theone next to that!

they are on frames 96,99,126,137

do you think i may have a rogue wireless device or outside device???

[glennda]

do you wap have a controller? or are they unmanaged?

Edit: what has the addresses that 127.0.0.1 is trying to look up?

for the second round its
10.11.71.103
10.11.71.116
10.11.71.107
10.11.71.114

[mhchs]

Hi thanks for all the replies i have sorted this out now. it seems that aload of the waps have reset and the firm ware has been trashed so im now in the process of redoing all of them.