Author Topic: Net/IP tracing (Read 371 times)

CavemanJ · « **on:** October 21, 2003, 12:18:48 AM »

Ok, so I go raid the kitchen for a quick midnight snack, and as I come out of the kitchen I notice the WAN light on my router and the activity light on the cable modem are both blinking faster than a 262 running from a squadron of Ponies.

The lights for the boxes plugged into the router are steady, showing no activity on my LAN, but just to be sure I pulled the cables for about 10 minutes to see.. and the WAN/activity lights just kept right on going. So I'm guessing this is something from the net trying to get to my LAN and stopping at the firewall.

So what I want to know is, how can I find out what this activity is without opening up the network? The security log in the router only shows login attempts and when the router/modem renew the IP.

Skuzzy · « **Reply #1 on:** October 21, 2003, 07:45:39 AM »

Caveman, it may not be anyone trying to "get in" to your LAN.

You may have gotten an IP from a Kazaa (or any file sharing program) user and you are getting hit by the other Kazaa users. This usually will subside in about 24 to 48 hours. This is probably the most likely due to the number of these users on the Internet. Bandwidth hogs.

Or, there could be other users on your subnet who are running with file and printer sharing and your LAN is being hit by all the various probes MS sends out to the subnet when announcing itself and searching for the other nodes on the subnet. This will be sporadic and mostly effects cable networks, due to the network architecture.

Or, someone on your subnet is running a program that has to do a broadcast and you are getting hit.

SPAMMERS hit port 25 of every IP address on the Internet, continually, so this could be it. They are just looking for open relays. Sick lot.

If your firewall is doing any logging, then you have the IP address. You can go to http://www.arin.net and find which ISP owns that IP address.

CavemanJ · « **Reply #2 on:** October 21, 2003, 07:59:16 AM »

Thanks Skuzzy. The router has a security log, but it only logs attempts to log into it and the DHCP client stuff for when it renews the IP from the ISP, which is cable.

So I'm gonna guess if I really wanna find out what it is I'd have to open the network? It'll forever remain a mystery then =)

jonnyb · « **Reply #3 on:** October 21, 2003, 02:31:49 PM »

What kind of router you running Cave?

CavemanJ · « **Reply #4 on:** October 22, 2003, 06:58:45 AM »

It's an SMC Barricade, SMC7004ABR

Siaf__csf · « **Reply #5 on:** October 22, 2003, 01:25:47 PM »

Could be viruses, too. If you have hacked boxes in your network they'll do continuous port scans in order to infect other machines.

CavemanJ · « **Reply #6 on:** October 23, 2003, 12:27:25 AM »

Quote

Originally posted by Siaf__csf
Could be viruses, too. If you have hacked boxes in your network they'll do continuous port scans in order to infect other machines.

Nope, no traffic on the LAN at all. Just something tickling the router from the net.

Siaf__csf · « **Reply #7 on:** October 23, 2003, 02:53:34 AM »

I meant your ISP's network.

blackfalcon4 · « **Reply #8 on:** October 23, 2003, 09:10:39 PM »

Cave my cable modem been same way since the blaster worm hit the net,,,, constant activity, but no entrance, and no conx issues.

Even changed my wan IP several times and no difference.