Why would Avast! be trying to send a network packet to another computer?

[Colon Terminus]

I was running a complete virus scan on the computer with the IP address
192.168.1.100 and it attempted to send an ARP packet to 192.168.1.101.
Does anyone have any idea why it would want to do this?

Here's the complete text from Sygate:
The executable has changed since the last time you used: D:\Program
Files\Alwil Software\Avast4\ashSimpl.exe
File Version : 4.5.536.0
File Description : Virus scanner
File Path : D:\Program Files\Alwil Software\Avast4\ashSimpl.exe
Process ID : 0x30C (Heximal) 780 (Decimal)

Connection origin : local initiated
Protocol : Other
Local Address : 0.0.0.0
Local Port : 0
Remote Name :
Remote Address : 0.0.0.0
Remote Port : 0

Ethernet packet details:
Ethernet II (Packet Length: 56)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-50-ba-5e-48-6b
ype: ARP (0x0806)
Address Resolution Protocol (ARP)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: Request
Sender hardware address: 00-50-ba-5e-48-6b
Sender IP address: 192.168.1.100
Target hardware address: 00-00-00-00-00-00
Target IP address: 192.168.1.101

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 50 : BA 5E 48 6B 08 06 00 01 | .......P.^Hk....
0010: 08 00 06 04 00 01 00 50 : BA 5E 48 6B C0 A8 01 64 | .......P.^Hk...d
0020: 00 00 00 00 00 00 C0 A8 : 01 65 15 3B 32 9D 50 18 | .........e.;2.P.
0030: FB 6A EA 8A 00 00 00 00 : | .j......

 

[kurt wismer]

I was running a complete virus scan on the computer with the IP address
192.168.1.100 and it attempted to send an ARP packet to 192.168.1.101.
Does anyone have any idea why it would want to do this?

the address range is within your home network (assuming you have
one)... is it possible you have a mapped network drive? does anything
exist at 192.168.1.101?

 

[Colon Terminus]

the address range is within your home network (assuming you have
one)... is it possible you have a mapped network drive? does anything
exist at 192.168.1.101?

Yes there's a computer at 192.168.1.101. The network consists of six
computers. Each of the other five map to several resources on 192.168.1.100.
192.168.1.100 does NOT map any drives on any of the other computers.

 

[aD]

I was running a complete virus scan on the computer with the IP address
192.168.1.100 and it attempted to send an ARP packet to 192.168.1.101.
Does anyone have any idea why it would want to do this?

Is there a computer/device that's on 192.168.1.101? If so, what is it?
How are the host (scanner) and the client (being scanned) connected together?

Here's the complete text from Sygate:
The executable has changed since the last time you used: D:\Program
Files\Alwil Software\Avast4\ashSimpl.exe
File Version : 4.5.536.0
File Description : Virus scanner
File Path : D:\Program Files\Alwil Software\Avast4\ashSimpl.exe
Process ID : 0x30C (Heximal) 780 (Decimal)

Connection origin : local initiated
Protocol : Other
Local Address : 0.0.0.0
Local Port : 0
Remote Name :
Remote Address : 0.0.0.0
Remote Port : 0
Ethernet packet details:
Ethernet II (Packet Length: 56)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-50-ba-5e-48-6b
ype: ARP (0x0806)
Address Resolution Protocol (ARP)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: Request
Sender hardware address: 00-50-ba-5e-48-6b
Sender IP address: 192.168.1.100
Target hardware address: 00-00-00-00-00-00
Target IP address: 192.168.1.101

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 50 : BA 5E 48 6B 08 06 00 01 | .......P.^Hk....
0010: 08 00 06 04 00 01 00 50 : BA 5E 48 6B C0 A8 01 64 | .......P.^Hk...d
0020: 00 00 00 00 00 00 C0 A8 : 01 65 15 3B 32 9D 50 18 | .........e.;2.P.
0030: FB 6A EA 8A 00 00 00 00 : | .j......

ARP (Address Resolution Protocol I think) is a method of determining IP
addresses from/to MAC addresses. ARP packets tend only to be sent to a
network switch, but if the two PCs are connected without a hub/switch then
I suppose they would send them directly to each other.

FYI I'm no expert on ARP so the above is a gross simplification and could
be wrong ;-)


aD

 

[Colon Terminus]

Is there a computer/device that's on 192.168.1.101? If so, what is it?
How are the host (scanner) and the client (being scanned) connected

together?

Yes, there's a computer at 192.168.1.101, my wife's computer.
My computer is the one at 192.168.1.100.
They're connected via a newwork switch.

I don't understand your question about the host and client, they're the same
thing.

 

[aD]

together?

Yes, there's a computer at 192.168.1.101, my wife's computer.
My computer is the one at 192.168.1.100.
They're connected via a newwork switch.

I don't understand your question about the host and client, they're the same
thing.

I interpreted your statement:

"I was running a complete virus scan on the computer with the IP address
192.168.1.100"
....that you were scanning one computer from another across the network
Hence wanting to know how the two were connected.

I believe if a PC hasn't contacted an IP address on it's local subnet
before (or after a certain time since it last has) it will first try to
find out which MAC address it has.

Here's an example. 192.168.1.1 is my desktop PC, 192.168.1.4 is my router.
In this case I ping my router, to which beforehand my PC sends out an ARP
broadcast to ask which physical device has the IP address 192.168.1.4.

The device at 192.168.1.4 replies directly to 192.168.1.1 with it's MAC
address.

192.168.1.1 -> Broadcast ARP Who has 192.168.1.4? Tell 192.168.1.1
192.168.1.4 -> 192.168.1.1 ARP 192.168.1.4 is at <MAC address>

I couldn't tell you why exactly Avast wanted to contact your wife's PC, but
would not consider it unusual behaviour or cause for concern. (I know such
a statement could be an oxymoron but that's still my opinion ;-)

As kurt said it could do with a mapped drive, or a previous NetBIOS
announcement from your wife's PC meant Avast "knew" of your wife's PC's
existence, and while bringing up a dialogue box checked it was still there.

aD

 

[Colon Terminus]

I interpreted your statement:

"I was running a complete virus scan on the computer with the IP address
192.168.1.100"
...that you were scanning one computer from another across the network
Hence wanting to know how the two were connected.

I believe if a PC hasn't contacted an IP address on it's local subnet
before (or after a certain time since it last has) it will first try to
find out which MAC address it has.

Here's an example. 192.168.1.1 is my desktop PC, 192.168.1.4 is my router.
In this case I ping my router, to which beforehand my PC sends out an ARP
broadcast to ask which physical device has the IP address 192.168.1.4.

The device at 192.168.1.4 replies directly to 192.168.1.1 with it's MAC
address.

192.168.1.1 -> Broadcast ARP Who has 192.168.1.4? Tell 192.168.1.1
192.168.1.4 -> 192.168.1.1 ARP 192.168.1.4 is at <MAC address>

I couldn't tell you why exactly Avast wanted to contact your wife's PC, but
would not consider it unusual behaviour or cause for concern. (I know such
a statement could be an oxymoron but that's still my opinion ;-)

As kurt said it could do with a mapped drive, or a previous NetBIOS
announcement from your wife's PC meant Avast "knew" of your wife's PC's
existence, and while bringing up a dialogue box checked it was still there.

aD

Thanks for your response. Although I'm not terribly concerned about it at
this point, I was just wondering what business my AV scanner had poking
around the network. I've sent a query to the tech support folks at Alwil
hoping they can shed some additional light on the subject. If, and it's a
big if, they answer, I'll post their response here under this same subject.