Firewall Wizards mailing list archives

Re: How to find hidden host within LAN

From: "Kurt Buff" <kurt.buff () gmail com>
Date: Sun, 25 Nov 2007 12:42:25 -0800

On Nov 25, 2007 6:42 AM, desant1 () tin it <desant1 () tin it> wrote:

Hi everybody
I'm using RH ES4 with iptables as gateway/firewall for my
LAN.
In the last week i notice in the iptables logs that a host within
my lan is doing a lot of traffic.
The destination/source address of the
packets and the used port suggest that this host is using peerToPeer
application (emule or similar).
The problem is that i'm not able to
identify this host within my LAN:
I can see his IP address (192.168.x.
y) and i can find his mac address througth ARP, but i can't ping it and
there is no host within my lan with this Mac address.
I can't
traceroute it.
Can someone help me to find this hidden host?


Are your switches managed? Can you pin down the MAC address to a switch port?

Is it coming over a wireless connection? If so, can you simply deny
that MAC address and see who complains?

Does that IP address do *anything* else on your LAN, and do you log
other activity, or can you put a network capture utility
(wireshark/tcpdump/other) to record anything else that this host is
talking to? if so you should be able to note and correlate login
activity with IP address.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

How to find hidden host within LAN desant1 () tin it (Nov 25)
- Re: How to find hidden host within LAN Crispin Cowan (Nov 25)
- Re: How to find hidden host within LAN Mark (Nov 25)
- Re: How to find hidden host within LAN Jim Seymour (Nov 25)
- Re: How to find hidden host within LAN Kurt Buff (Nov 25)
- Re: How to find hidden host within LAN mailinglist (Nov 25)
- Re: How to find hidden host within LAN Avishai Wool (Nov 25)
- Re: How to find hidden host within LAN Fiamingo, Frank (Nov 30)