This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why source IP in packet filter is not always from my subnet

When I look at my packet filter logs, I would expect every source IP to be on my subnet, but not all of them are. For example, one of the blocked packets is TCP 218.10.111.106 : 12200 → 67.82.39.186 : 7212

See attached screen shot of packet filter log.

Can some explain to me what is happening?

--Scott

This thread was automatically locked due to age.

Parents

0 BarryG over 16 years ago

Scans from the internet to your IP(s)?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 ScottG over 16 years ago in reply to BarryG

That makes sense for some of them, my cable modem IP is 67.82.39.186. But it doesn't explain entries like:

TCP 10.156.31.63 : 53954 → 72.4.201.39 : 443

--Scott
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to ScottG

Is 10.156.31.63 in one of your internal networks?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 ScottG over 16 years ago in reply to BarryG

No, my internal network is 192.168...

--Scott
Cancel
Vote Up 0 Vote Down

Cancel
0 gsxfan over 16 years ago in reply to ScottG

Maybe an unconfigured LAN interface of a local device like print server, UPS or something like that?
From time to time I run a network sniffer to check what is going on in my internal network and some months ago I found a IP address sending from a network range which is for sure not configured. After checking the MAC address I discovered that this MAC range (The first three groups are the sign of the manufacturer of the device) belongs to APC. One of a shipment of 12 new UPS was not configured, seems that I forgot to set it correctly.
At first I thought we were hacked....
Cancel
Vote Up 0 Vote Down

Cancel
0 ScottG over 16 years ago in reply to gsxfan

I can't think of anything it can be, but maybe I'm overlooking something. Can you recommend an easy to use network sniffer, preferably Windows based.

--Scott
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to ScottG

Try a tracert to 10.156.31.63; it could be a management network at your ISP.

Also, you can tell whether it's internal or external from the packetfilter log; look at the MAC addresses if it doesn't show the interface.

WireShark is a free sniffer which runs on Windows, ...
I don't know that it's 'easy to use', but there's lot of docs.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 16 years ago in reply to ScottG

Try a tracert to 10.156.31.63; it could be a management network at your ISP.

Also, you can tell whether it's internal or external from the packetfilter log; look at the MAC addresses if it doesn't show the interface.

WireShark is a free sniffer which runs on Windows, ...
I don't know that it's 'easy to use', but there's lot of docs.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ScottG over 16 years ago in reply to BarryG

Looking at the MAC address was a good idea, I figured out that that 10.156.31.63 was my iPhone. Maybe it got that IP from another wireless access point and it didn't pick up a new IP from my DHCP yet.

--Scott
Cancel
Vote Up 0 Vote Down

Cancel
0 itenghm over 16 years ago in reply to ScottG

I have the same issue but in my case the mac address is always the same but the ip address is changing, I looked for the ip addresses on the internet and one of them was for google, one for some company in usa, the other is unkown, but it is always the same mac and the vendor for that mac is cisco
Cancel
Vote Up 0 Vote Down

Cancel