Tools for tracing IP
Nick Estes
plug-discuss@lists.plug.phoenix.az.us
Thu, 11 Apr 2002 19:29:08 -0700 (MST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
169.254.0.0/16 is another one of those "special" IP blocks, this
particular one is for IPv4 link local addresses just like fe80::/10 is for
IPv6.
--Nick
On Thu, 11 Apr 2002, Todd Hought wrote:
> Well, it's been a while since I supported a win98 box, but IIRC,
> 169.254.101.152 is one of those goofy IP's that win98 will assign itself
> when it can't get an IP from a dhcp server, but it still gives itself one
> anyways.
> Can't imagine how a machine that has that IP could be sending traffic tho.
> if you've got a good packet sniffer, you can usually see what mac addr is
> tied to that IP, and perhaps go theu your local switch to find it.
> Not sure if that helps, but it might. :-)
> -T
>
> On Thu, 11 Apr 2002 alandd@mindspring.com wrote:
>
> > On my Win98 box here at work I recently installed ZoneAlarm so I could catch any "funny" apps going out to the internet without me knowing. Today ZoneAlarm has been yelling every couple of hours about attempted NetBIOS connections from an IP outside our company NAT firewall. This puzzles me greatly. Ping and traceroute from the Win98 box to the IP come back without a domain name and with "Destination host unreachable" errors.
> >
> > I assume my PC has been "zombified" and the "master" is outside trying to get in. I don't know how it is doing this through the NAT. I have not seen any unknown programs trying to get out through ZoneAlarm.
> >
> > Not being experienced in tracking these things, I don't know what else I can learn about this when all I have is the IP address. What tools or resources are available in Linux to find out where this port scan is coming from and what on my computer would want to answer?
> >
> > Details------------
> > Summary:
> > Source IP: 169.254.101.152
> > Source ports: 4335, 4615, 4618, 4621, 4995, 4998, 3626, 3632
> > My IP (behind firewall/NAT):192.168.200.xxx
> > My port: 139
> >
> > ZoneAlarm Log text:
> > type,date,time,source,destination,transport
> > FWIN,2002/04/11,10:12:00 -7:00 GMT,169.254.101.152:4335,192.168.200.xxx:139,TCP (flags:S)
> > FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4615,192.168.200.xxx:139,TCP (flags:S)
> > FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4618,192.168.200.xxx:139,TCP (flags:S)
> > FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4621,192.168.200.xxx:139,TCP (flags:S)
> > FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4995,192.168.200.xxx:139,TCP (flags:S)
> > FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4998,192.168.200.xxx:139,TCP (flags:S)
> > FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3626,192.168.200.xxx:139,TCP (flags:S)
> > FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3632,192.168.200.xxx:139,TCP (flags:S)
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
>
>
>
>
> ********************************************************************
> * You don't tug on Superman's cape, you don't spit into the wind.. *
> * You don't pull the mask off the ol' Lone Ranger, *
> * And you don't mess around with the Sysadmin's workstation. *
> ********************************************************************
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQE8tkZ5v+hjYTGg7s4RAreiAJ9rUO8DFFLmtHQMrCxhJ9ABGr5tLACeM7h/
jaL+0fJC6x7apxJHRHPHbyI=
=B3nK
-----END PGP SIGNATURE-----