Firewall Wizards mailing list archives

Re: How to find hidden host within LAN

From: "Fiamingo, Frank" <FiamingF () strsoh org>
Date: Fri, 30 Nov 2007 15:51:02 -0500

I've seen this on our network in recent months also.  It ususally has to
do with virtual machines that default to using 192.168.x.x (VMware) and
10.211.55.x (Parallels) addresses.  They either exit their physical
machine not properly NATed for your network, or when they interact with
some applications, such as MS Exchange, the Exchange server may try to
reply to the original 192.168.x.x or 10.211.55.x address.  Apparently
this original source address must be buried somewhere in the data
portion of the packet.  Either problem makes the origin very difficult
to trace, because you can't route to, or ping, that source address.

        Frank

-----Original Message-----
From: firewall-wizards-bounces () listserv cybertrust com
[mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of
desant1 () tin it
Sent: Sunday, November 25, 2007 9:42 AM
To: firewall-wizards () listserv cybertrust com
Subject: [fw-wiz] How to find hidden host within LAN

Hi everybody
I'm using RH ES4 with iptables as gateway/firewall for my 
LAN.
In the last week i notice in the iptables logs that a host within 
my lan is doing a lot of traffic.
The destination/source address of the 
packets and the used port suggest that this host is using peerToPeer 
application (emule or similar).
The problem is that i'm not able to 
identify this host within my LAN:
I can see his IP address (192.168.x.
y) and i can find his mac address througth ARP, but i can't ping it and 
there is no host within my lan with this Mac address.
I can't 
traceroute it.
Can someone help me to find this hidden host?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


CONFIDENTIALITY NOTICE: STRS Ohio intends this e-mail message and any attachments to be used only by the person(s) or 
entity to which it is addressed. This message may contain confidential and/or legally privileged information.  If the 
reader is not the intended recipient of this message or an employee or agent responsible for delivering the message to 
the intended recipient, you are hereby notified that you are prohibited from printing, copying, storing, disseminating 
or distributing this communication.  If you received this communication in error, please delete it from your computer 
and notify the sender by reply e-mail.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

How to find hidden host within LAN desant1 () tin it (Nov 25)
- Re: How to find hidden host within LAN Crispin Cowan (Nov 25)
- Re: How to find hidden host within LAN Mark (Nov 25)
- Re: How to find hidden host within LAN Jim Seymour (Nov 25)
- Re: How to find hidden host within LAN Kurt Buff (Nov 25)
- Re: How to find hidden host within LAN mailinglist (Nov 25)
- Re: How to find hidden host within LAN Avishai Wool (Nov 25)
- Re: How to find hidden host within LAN Fiamingo, Frank (Nov 30)