Re: wired traffic

[Bob Radvanovsky <rsradvan () unixworks net>]

To answer your question, yes, that address is one of several used by Cisco/Linksys products as their gateway address 
for internal-to-external routing.  192.168.1.1 is the local, non-routed address.  There may be other retail, 
residential routers which may use that as the gateway address, too.  I know that D-Link uses 192.168.0.1, many Netgear 
devices uses 192.168.1.1, as does Cisco/Linksys.  I would suggest running NMAP, or some other form of network port 
scanner to do an identification based on its packet signature.

The fact that I see it addressing 0.0.0.0 might mean that the router may be misconfigured, or that it might be a DHCP 
broadcasting agent, again, signifying that it may be misconfigured.  Without performing additional steps, we can 
speculate until tomorrow...  ;))

Does this help?

-rad

----- Original Message -----
From: Charles Hamby [mailto:fixer () gci net]
To: fowl8510 () unco edu, incidents () securityfocus com
Subject: Re: wired traffic


> Is 192.168.1.1 a Linksys router by some chance?
>
>
> ----- Original Message ----- 
> From: <fowl8510 () unco edu>
> To: <incidents () securityfocus com>
> Sent: Sunday, January 29, 2006 6:11 PM
> Subject: wired traffic
>
>
> > Can anyone tell me what's happening here?  192.168.1.1 is the router.
> >
> > 20:09:31.410294 IP 192.168.1.1.1119 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.410854 IP 192.168.1.1.1121 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.411454 IP 192.168.1.1.availant-mgr > 0.0.0.0.0: . 0:1(1) ack 0 
> > win 0
> > 20:09:31.412078 IP 192.168.1.1.1125 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.412723 IP 192.168.1.1.1126 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.413415 IP 192.168.1.1.1128 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.414085 IP 192.168.1.1.1129 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.414779 IP 192.168.1.1.1131 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.415504 IP 192.168.1.1.1132 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:31.416247 IP 192.168.1.1.1134 > 0.0.0.0.0: . 0:1(1) ack 0 win 0
> > 20:09:32.434549 IP 192.168.1.1.1121 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:32.435152 IP 192.168.1.1.availant-mgr > 0.0.0.0.0: . 0:1(1) ack 1 
> > win 0
> > 20:09:32.435719 IP 192.168.1.1.1125 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:32.436313 IP 192.168.1.1.1126 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:32.436939 IP 192.168.1.1.1128 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:32.437537 IP 192.168.1.1.1129 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:32.438186 IP 192.168.1.1.1131 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:32.440157 IP 192.168.1.1.1134 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.458456 IP 192.168.1.1.1119 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.458958 IP 192.168.1.1.1121 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.459529 IP 192.168.1.1.availant-mgr > 0.0.0.0.0: . 0:1(1) ack 1 
> > win 0
> > 20:09:33.460769 IP 192.168.1.1.1126 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.461407 IP 192.168.1.1.1128 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.462083 IP 192.168.1.1.1129 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.462759 IP 192.168.1.1.1131 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.463461 IP 192.168.1.1.1132 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:33.464185 IP 192.168.1.1.1134 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:34.481631 IP 192.168.1.1.1119 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:34.482436 IP 192.168.1.1.1121 > 0.0.0.0.0: . 0:1(1) ack 1 win 0
> > 20:09:34.483287 IP 192.168.1.1.availant-mgr > 0.0.0.0.0: . 0:1(1) ack 1 
> > win 0
> >
> > This goes on and on. 


Bob Radvanovsky, CISM, CIFI, REM, CIPS
rsradvan () unixworks net | rsradvan () infracritical com | rsradvan () ehealthgrid com
(630) 673-7740 | (412) 774-0373 (fax)