Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Network troubleshooting -NOT SME
« previous next »
Pages: [1]   Go Down

Network troubleshooting -NOT SME

  • 5 Replies
  • 1604 Views

cozmos9

Network troubleshooting -NOT SME
« on: September 09, 2005, 12:02:22 AM »
Sorry this isn't an SME question, but I figured there may be some very competent people here who might be able to help.

My firewall log shows repeated ip spoofing.  My subnet is 10.21.x.x.  The offending address is 200.200.200.200.  I figure this is a misconfigured PC on my lan.  To try to isolate it, I tried arp -s to associate the mac address to a phantom address, 10.21.100.100.  Then, I scanned for any open ports at this address and came up empty.

While I do not believe this is causing any real harm to my network, I would still like to figure out how to track this down.  Any suggestion would be appreciated.

Thanks,
Jean
Logged

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Network troubleshooting -NOT SME
« Reply #1 on: September 10, 2005, 07:49:39 AM »
Hey Jean,
I heard of many stories of chipsets that actually do strange things, like broadcasting packets as if it came from 200.200.200.200. This is either one of those cases or a misconfigured PC. A protocol analizer like Ethereal can help in a situation like that.

Let us know your findings,
Logged

Offline arne

  • *****
  • 1,116
  • +0/-4
Network troubleshooting -NOT SME
« Reply #2 on: September 11, 2005, 11:04:14 PM »
I think it should be difficult to diagnose this using Eathereal as the only thing you can se is the spoofed sender ip (??!!)

Just an idea .. is it possible to read the mac adress of the spoofed ip and then to filter on that mac to see if it also have one other ip .. dont remember if this can be done ..

One other more easy way if the network is not to big and if you have access to all work stations. TCPView is a Windows trafic monitor allmost like iptraf on Linux. If you run TCPView on a Windows work station you should see it at once if it is sending out spoofed packets.
Logged
......

Offline arne

  • *****
  • 1,116
  • +0/-4
Network troubleshooting -NOT SME
« Reply #3 on: September 12, 2005, 06:46:29 AM »
Logged
......

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Network troubleshooting -NOT SME
« Reply #4 on: September 12, 2005, 07:41:14 AM »
Ethereal can show you everything, not only capture the packets but also show you it's contents. Too much to list here...
For active connections I suggest you look at ntop, there's a tutorial on how to install, big advantage when you can look at your entire network.
Logged

cozmos9

Network troubleshooting -NOT SME
« Reply #5 on: September 13, 2005, 11:13:20 PM »
Wow.  Thanks for the great tips.  I'll try both etherpeek and tcpview.  Hopefully, I'll have some results to report back...

Jean
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Network troubleshooting -NOT SME