Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
3
Replies

Find out who is disturbing my LAN ?

pranav2794
Level 1
Level 1

‎05-30-2011 03:22 AM

Hi,

I was analyzing my traffic over my LAN and after some periods I am getting requests from some devices whos MAC addresses are shown by my wireshark and it is asking for the address 192.168.1.64, and other addresses on my LAN that don't even exist.

Is this some intrusion sort of or it is common in a LAN.

It is a broadcast from that device and the protocol that it uses is ARP as shown by the WireShark.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-30-2011 07:17 AM

The cause is most likely a mis-configured client application. Anything ARPing for an RFC1918 address is originating locally on your network as those address types are not routed over the Internet.

If you have the MAC address from Wireshark, you can go into your switch (or switches) and examine their MAC address tables ("show mac address-table" on IOS) to determine which port the client is connected to. From there, you'll need to look at the client itself. If you want to see what application is causing which network traffic once you find the offending machine, I recommend TCPview. netstat is also available from the command line (or Unix shell).

If the offending device is not a computer (e.g., printer or such), you will have to use its configuration menu or utility to set it up correctly so as not to broadcast for non-existent addresses.

One often finds surprising things when looking under the covers on a LAN. Your experience is not unusual.

0 Helpful

pranav2794
Level 1
Level 1
In response to Marvin Rhoads

‎05-30-2011 07:38 AM

ya, but I have unmanaged switch so I don't think I will be able to get the corresponding port number through which the request to find that arbitrary IP address was given AFAIK.

If you do know about getting this done.., plz do tell me that also.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-30-2011 08:26 AM

Other methods of finding out who is sourcing the problem traffic:

Scan the source IP with nmap.

Determine what type of hardware it is (computer NIC, printer, etc.) by looking up the OUI (first 6 characters of the MAC address).

If it is a Windows host, use (from your PC on the same LAN) Windows' built-in nbtstat with -A option, e.g.:

"nbtstat -A "

>nbtstat ?

Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.

0 Helpful
Customers Also Viewed These Support Documents