Firewall Wizards mailing list archives
Re: 192.168.x.y ... ?
From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 28 Jan 1999 23:01:06 -0800 (PST)
I'm not sure of your configuration. I'm assuming you mean packets coming in from the Internet, and not packets going from inside your network outward. My company has a DSL connection, which connects to an ATM VLAN at the ISP side. Thus, I see all sorts of broadcasts from 10.x.x.x and 192.168.x.x, as well as from legitimate IP addresses. (The ISP filters TCP 139, but not NetBIOS datagrams 138 or names 137). This isn't really a problem for me, but I can figure out a lot of information about my "neighbors" from the information they are broadcasting to me. In any case, the users don't have to be nearby. People could be spoofing or have a misconfigured machine. For example, if I have a machine in Antartica that is configured with the IP address of 192.168.x.y, I can send you a ping, even though your responses will never get out of the local network. I'd sniff on the wire to see what the MAC address of the packets are (assuming you are like me on a DSL or cable modem link; otherwise, if you have a point-to-point connection, you're hosed). If the packets aren't coming from the router's MAC address, then you've identified that part of the problem. In any case, these packets sound pretty innocuous. Are they PING, or things like Destination Unreachable ICMP packets? Rob. ---David Gillett <davidg () genmagic com> wrote:
One of the firewalls I administer is rejecting (and logging) about
0-
3 ICMPs a day from a couple of these IP addresses. As I understand
it,
these machines have to be inboard of the next router, but that's not quite enough of a clue to locate them. Is there any other tool I can use to try and find these machines? [The network's physical security is such that I expect to find misconfigured machines rather than pirate sniffers, but find them I must.] David G
_________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- 192.168.x.y ... ? David Gillett (Jan 28)
- <Possible follow-ups>
- Re: 192.168.x.y ... ? Robert Graham (Jan 29)