I really couldn't see what area of the forum to post this in so this is where I thought it might best go. MODs, move it to the appropriate forum area if there is a better place for it please.

Was watching Wire Shark processing my LAN card while I'm on FireFox and noticed some IPs that kinda struck me as strange [78.46.33.133].

If I just do nothing and watch it process I can see the handshakes with the router and then I see an encrypted handshake with an IP that I don't understand why it's talking to.

2042 851.659017 192.168.1.xxx 78.46.33.133 TCP 54 vfo > https [ACK] Seq=1 Ack=1 Win=17520 Len=0
2043 851.679277 192.168.xx.xxx 78.46.33.133 TLSv1 258 Client Hello
2044 851.793198 78.46.33.133 192.168.xx.xxx TCP 54 https > vfo [ACK] Seq=1 Ack=205 Win=6432 Len=0
2045 851.801889 78.46.33.133 192.168.xx.xxx TLSv1 1514 Server Hello
2046 851.802165 78.46.33.133 192.168.xx.xxx TCP 1514 [TCP segment of a reassembled PDU]
2047 851.802207 192.168.xx.xxx 78.46.33.133 TCP 54 vfo > https [ACK] Seq=205 Ack=2921 Win=14600 Len=0
2048 851.802346 78.46.33.133 192.168.xx.xxx TLSv1 727 Certificate, Server Key Exchange, Server Hello Done
2049 851.809414 192.168.xx.xxx 78.46.33.133 TCP 54 vfo > https [ACK] Seq=205 Ack=3594 Win=17520 Len=0
2050 851.843228 192.168.xx.xxx 78.46.33.133 TLSv1 188 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
2051 851.960241 78.46.33.133 192.168.xx.xxx TLSv1 304 Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message
2052 851.972159 192.168.xx.xxx 78.46.33.133 TLSv1 624 Application Data, Application Data
2053 852.091603 78.46.33.133 192.168.xx.xxx TLSv1 587 Application Data
2054 852.092160 78.46.33.133 192.168.xx.xxx TCP 54 https > vfo [FIN, ACK] Seq=4377 Ack=909 Win=9120 Len=0
2055 852.092193 192.168.xx.xxx 78.46.33.133 TCP 54 vfo > https [ACK] Seq=909 Ack=4378 Win=16737 Len=0
2056 852.118826 192.168.xx.xxx 78.46.33.133 TLSv1 91 Encrypted Alert
2057 852.118879 192.168.xx.xxx 78.46.33.133 TCP 54 vfo > https [FIN, ACK] Seq=946 Ack=4378 Win=16737 Len=0
2058 852.236771 78.46.33.133 192.168.xx.xxx TCP 54 https > vfo [ACK] Seq=4378 Ack=947 Win=9083 Len=0

I do a TRACERT of the IP and it leads me to a site in Germany.

Tracing route to static.133.33.46.78.clients.your-server.de [78.46.33.133]

over a maximum of 30 hops:

1 4 ms 9 ms 9 ms xxx.xxx.xx.x

2 18 ms 29 ms 21 ms 10.4.8.1

3 16 ms 25 ms 16 ms ip98-190-163-106.ri.ri.cox.net [98.190.163.106]

4 19 ms 11 ms 29 ms ip98-190-161-80.ri.ri.cox.net [98.190.161.80]

5 18 ms 19 ms 21 ms ip98-190-33-34.ri.ri.cox.net [98.190.33.34]

6 16 ms 19 ms 20 ms provdsrj02-ae3.0.rd.ri.cox.net [98.190.33.26]

7 21 ms 19 ms 35 ms 68.1.5.161

8 33 ms 25 ms 30 ms nyk-s2-rou-1001.US.eurorings.net [134.222.248.13]

9 118 ms 120 ms 118 ms nntr-s1-rou-1101.FR.eurorings.net [134.222.226.162]

10 113 ms 119 ms 117 ms kehl-s2-rou-1103.DE.eurorings.net [134.222.227.121]

11 112 ms 107 ms 110 ms ffm-s1-rou-1102.DE.eurorings.net [134.222.227.177]

12 122 ms 121 ms 122 ms nbg-s1-rou-1001.DE.eurorings.net [134.222.227.118]

13 116 ms 119 ms 119 ms kpn-gw.hetzner.de [134.222.107.21]

14 121 ms 116 ms 120 ms hos-bb2.juniper2.rz10.hetzner.de [213.239.240.141]

15 129 ms 117 ms 122 ms hos-tr3.ex3k9.rz10.hetzner.de [213.239.227.202]

16 228 ms 119 ms 116 ms static.133.33.46.78.clients.your-server.de [78.46.33.133]

Trace complete.

What is this IP? And why is my computer connecting to it?

Your system is running Windows? If so, then you probably are part of a bot-net... :-(

Actually, I think I've figured it out.

I was thinking an a thought hit me. Since it was only happening on FireFox maybe it was an Add On. So I disabled all of them. And the problem went away. Then I put them back online one at a time. And I finally came to one that the IP started showing up again.

It is an Add On that displays the IP of the site I am currently on. I am making an assumption that the persion who wrote the Add on is from Germany, and he references an IP checking sight that is also located in Germany.

I will be looking into the Add On a little more closely when I get home and have the time to delve into the program a little more.

I may have to get rid of it if it is going to be doing more than just showing the IP of the site I'm at.

I just don't understand why it pings the site so often, and not just when I move to a different site in my browser.

The name of the Add On is

ShowIP 2.0

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.