Re: 192.168.x.y ... ?

[Robert Graham <robert_david_graham () yahoo com>]

I'm not sure of your configuration. I'm assuming you mean packets
coming in from the Internet, and not packets going from inside your
network outward.

My company has a DSL connection, which connects to an ATM VLAN at the
ISP side. Thus, I see all sorts of broadcasts from 10.x.x.x and
192.168.x.x, as well as from legitimate IP addresses. (The ISP filters
TCP 139, but not NetBIOS datagrams 138 or names 137). This isn't
really a problem for me, but I can figure out a lot of information
about my "neighbors" from the information they are broadcasting to me.

In any case, the users don't have to be nearby. People could be
spoofing or have a misconfigured machine. For example, if I have a
machine in Antartica that is configured with the IP address of
192.168.x.y, I can send you a ping, even though your responses will
never get out of the local network.

I'd sniff on the wire to see what the MAC address of the packets are
(assuming you are like me on a DSL or cable modem link; otherwise, if
you have a point-to-point connection, you're hosed). If the packets
aren't coming from the router's MAC address, then you've identified
that part of the problem.

In any case, these packets sound pretty innocuous. Are they PING, or
things like Destination Unreachable ICMP packets?

Rob.

---David Gillett <davidg () genmagic com> wrote:
>   One of the firewalls I administer is rejecting (and logging) about
0-
> 3 ICMPs a day from a couple of these IP addresses.  As I understand
it, 
> these machines have to be inboard of the next router, but that's not 
> quite enough of a clue to locate them.  Is there any other tool I can 
> use to try and find these machines?
>
>   [The network's physical security is such that I expect to find 
> misconfigured machines rather than pirate sniffers, but find them I 
> must.]
>
>
> David G

_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com