Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
how to identify the origin of a paket
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
alex.blackbit
Advocate
Advocate


Joined: 26 Jul 2005
Posts: 2397

PostPosted: Wed Apr 13, 2011 7:50 am    Post subject: how to identify the origin of a paket Reply with quote

hi,

i use shorewall on my internet gateway.
there i get log messages like these:
Code:
Apr 13 09:08:13 net4801 kernel: [1720895.203628] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=392 DF PROTO=TCP SPT=55963 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 13 09:08:13 net4801 kernel: [1720895.204976] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14767 DF PROTO=TCP SPT=55964 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 13 09:08:19 net4801 kernel: [1720901.198082] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=55878 DPT=1024 LEN=36
Apr 13 09:37:49 net4801 kernel: [1722672.005149] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=7598 DF PROTO=TCP SPT=36471 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 13 09:37:49 net4801 kernel: [1722672.008780] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=2041 DF PROTO=TCP SPT=36472 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 13 09:37:55 net4801 kernel: [1722677.311320] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=55878 DPT=1024 LEN=36

192.168.0.2 is my workstation.
the subnet 192.168.178.0 is not in use on my LAN.
i am searching for a way to identify which process emits those packets.
i tried with tcpspy which seems to miss those packets.
lsof does not help either.
who knows a way to log the process ID/name of packets that match certain criteria? in this case that would be the destination ip.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7447

PostPosted: Wed Apr 13, 2011 10:37 am    Post subject: Reply with quote

as it just query another local network ip, it might just be an application that was bind to that ip and you forget about it
as it query an answer from that ip port 1024 just check who is listening at 1024 (i suspect the query comes from the application that is also listening)
netstat --listen and look who's at 1024 (if anyone is there of 'course)
Back to top
View user's profile Send private message
alex.blackbit
Advocate
Advocate


Joined: 26 Jul 2005
Posts: 2397

PostPosted: Wed Apr 13, 2011 1:46 pm    Post subject: Reply with quote

there is no ip 192.168.178.21 in my network, nothing in 192.168.178.0/24.
i don't understand what you mean regarding the destination port 1024.
on my workstation nothing is listening on 1024.
answer ? you think these are answer packets ?
why would the initial packets not have been logged?
please clarify.

EDIT: typo


Last edited by alex.blackbit on Wed Apr 13, 2011 5:58 pm; edited 1 time in total
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7447

PostPosted: Wed Apr 13, 2011 2:59 pm    Post subject: Reply with quote

yep i think they are answers from a spoof query forged so your computer answer to that ip, and to port number 1024.
a simple icmp is enough for that, and the query might appears legit at first.
Back to top
View user's profile Send private message
alex.blackbit
Advocate
Advocate


Joined: 26 Jul 2005
Posts: 2397

PostPosted: Wed Apr 13, 2011 6:00 pm    Post subject: Reply with quote

do have any ideas how i could find out where the problem comes from?
i.e. what host initially emitted the suspicious packet to which my workstation (192.168.0.2) answers.
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Wed Apr 13, 2011 6:43 pm    Post subject: Reply with quote

Depends on how the setup is.

I'd definitely get a tcpdump from your own workstation, and if it is just to confirm that you are not the source...
Then either get another tcpdump from the firewall itself.

Finally, analyse both dumps in wireshark.

This should get you started; just replace IF, with the interface you are listening on (should be eth1 on the firewall), and omit -w /tmp/tcpdump to see the dump direly on the CLI.
Code:
# tcpdump -nnvvi IF -w /tmp/tcpdump host 192.168.178.21 and host 192.168.0.2 and port 1024


V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
alex.blackbit
Advocate
Advocate


Joined: 26 Jul 2005
Posts: 2397

PostPosted: Thu Apr 14, 2011 11:28 pm    Post subject: Reply with quote

in the mean time i found out that it's transmission that causes these packets.
the packets have the same source port for some time, so i checked that with lsof.
i will move to a different torrent client to see if it's a problem of the protocol or transmission itself.
thank you all.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum