how to identify the origin of a paket

[alex.blackbit]

hi,

i use shorewall on my internet gateway.
there i get log messages like these:

[krinn]

as it just query another local network ip, it might just be an application that was bind to that ip and you forget about it
as it query an answer from that ip port 1024 just check who is listening at 1024 (i suspect the query comes from the application that is also listening)
netstat --listen and look who's at 1024 (if anyone is there of 'course)

[alex.blackbit]

there is no ip 192.168.178.21 in my network, nothing in 192.168.178.0/24.
i don't understand what you mean regarding the destination port 1024.
on my workstation nothing is listening on 1024.
answer ? you think these are answer packets ?
why would the initial packets not have been logged?
please clarify.

EDIT: typo

[krinn]

yep i think they are answers from a spoof query forged so your computer answer to that ip, and to port number 1024.
a simple icmp is enough for that, and the query might appears legit at first.

[alex.blackbit]

do have any ideas how i could find out where the problem comes from?
i.e. what host initially emitted the suspicious packet to which my workstation (192.168.0.2) answers.

[Veldrin]

Depends on how the setup is.

I'd definitely get a tcpdump from your own workstation, and if it is just to confirm that you are not the source...
Then either get another tcpdump from the firewall itself.

Finally, analyse both dumps in wireshark.

This should get you started; just replace IF, with the interface you are listening on (should be eth1 on the firewall), and omit -w /tmp/tcpdump to see the dump direly on the CLI.

[alex.blackbit]

in the mean time i found out that it's transmission that causes these packets.
the packets have the same source port for some time, so i checked that with lsof.
i will move to a different torrent client to see if it's a problem of the protocol or transmission itself.
thank you all.