Re: [SLUG] Output from tcpdump

From: Brian Coyle (brian@linuxwidows.com)
Date: Mon Aug 05 2002 - 00:03:20 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 04 August 2002 16:36, Doug Koobs wrote:
> While using tcpdump to learn about arp, I found some unexpected activity on
> my network, which sonsist only of:
>
> Linksys Cable/DSL router at 192.168.1.215
> RH 7.3 mail server at 192.168.1.201
> Win2K Pro at 192.168.1.1
>
> I ran tcpdump while there were no users running any programs...
> Here are the tcpdump output lines, with my questions included:
>
> 16:07:23.381067 133.65.185.24.2957 > 192.168.1.201.ssh: S
> 2350411248:2350411248(0) win 32120 <mss 1460,sackOK,timestamp 411665006
> 0,nop,wscale
> 0> (DF)

You must be forwarding/NATing the ssh in the Linksys. I hope it also
has firewall features.... :)

>
> Is someone at 133.65.185.24 trying to ssh into my Linux box? If so, what
> log would I look at to see if they were successful?
>

Yes, they're trying- welcome to the 'always on' Internet.

It doesn't appear they made it past the authentication (too few packets).
/var/log/messages should have details.

BTW- If you're running ipchains (and logging to syslog), here's a script
to parse the syslog and report on who's knocking at the door.

http://lists.leap-cf.org/pipermail/pgrm101/2002-May/001061.html

> 16:07:23.382952 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2718+
> PTR? 201.1.168.192.in-addr.arpa. (44) (DF)

Your RH box has a misconfigured resolver. You should setup DNS for your
internal hosts, then forward all others to RoadRunner. The simplist
method to do this is in /etc/nsswitch.conf setting 'hosts files dns'
(in that order). Then add your internal hosts to /etc/hosts.

> Also, the gateway often sends arp requests for 192.168.1.254, which does
> not exist... Why would it be looking for it?

Possibly a misconfiguration in the Linksys. I'd look for a NAT or forward
setting that points to that address instead of where you intended. This
may also be a default value for something you haven't disabled.

HTH!

- --
Redundancy? You can say that again!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9TfkKER3MuHUncBsRAid5AJ9LscAAn3qz+SooOXuxo0DU7IgHQwCeNWPM
dFvVXaMwz3R3pQsLSSpRR0k=
=XsAP
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:50:23 EDT