Solved: Re: Finding source of traffic - behind router - Page 2

davidjknapp · ‎02-25-2010

I have an esoft internet gateway appliance that is producing this message :

Feb 25 00:00:21 System martian source 192.168.1.255 from 192.168.1.135, on dev br0
Feb 25 00:00:21 System ll header: 00:01:4e:01:7a:b4:00(Destination - E-soft App):1e:f7:ae:b6:c0:08:00(Source Router at 10.x.x.x)

Our network scheme is 10.x.x.x, with no 192.168.*.* subnets on the local lan. However, for some reason the router behind this gateway is still forwarding traffic from 192.168.1.* to the gateway. My router has 3 interfaces, 10.x.x.x; 10.x.x.x, and 72.x.x.x. Not sure how traffic is even getting to the router, let alone being forwarded.

From the switch I can identify the the devices by the mac's using "show mac address-table", but I cannot determine the source of the traffic from the other side of the router.

How do I track down the source of this traffic?

davidjknapp · ‎02-25-2010

Still nothing comming through... hope I have relavent data below

I ran commonds below in Config t

logging on

logging buffered

then ran following:

Systems#Sho Conf

!

access-list 151 permit ip 192.168.1.0 0.0.0.255 any log
logging buffered 4096 debugging

Systems#sho logging
Syslog logging: enabled (11 messages dropped, 3 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 75 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 1 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 76 message lines logged

Log Buffer (4096 bytes):

*Feb 25 22:06:34.702: %SYS-5-CONFIG_I: Configured from console by djknapp on vty0 (10.4.117.110)

Jon Marshall · ‎02-25-2010

David

Apologies but i gave some misleading info. To log port numbers your acl must match on port numbers so can you make your acl -

access-list 151 permit tcp 192.168.1.0 0.0.0.255 any range 1 65535 log

access-list 151 permit udp 192.168.1.0 0.0.0.255 any range 1 65535 log

access-list 151 permit icmp 192.168.1.0 0.0.0.255 any log
access-list 151 permit ip any any

then apply this acl to the interface that connect to your MPLS network.

Note that the router will buffer the logs so you may only see one entry for multiple hits.

Jon

davidjknapp · ‎02-25-2010

Got it:

*Feb 25 22:50:33.178: %SEC-6-IPACCESSLOGP: list 152 permitted udp 192.168.1.125(138) -> 192.168.1.255(138), 1 packet
*Feb 25 22:50:44.022: %SEC-6-IPACCESSLOGP: list 152 permitted udp 192.168.1.135(138) -> 192.168.1.255(138), 1 packet
*Feb 25 22:51:14.110: %SEC-6-IPACCESSLOGP: list 152 permitted udp 192.168.1.136(137) -> 192.168.1.255(137), 1 packet
*Feb 25 22:51:55.206: %SEC-6-IPACCESSLOGP: list 152 permitted udp 192.168.1.133(138) -> 192.168.1.255(138), 1 packet
*Feb 25 22:53:08.650: %SEC-6-IPACCESSLOGP: list 152 permitted udp 192.168.1.100(138) -> 192.168.1.255(138), 1 packet
*Feb 25 22:54:14.042: %SEC-6-IPACCESSLOGP: list 152 permitted udp 192.168.1.136(138) -> 192.168.1.255(138), 1 packet

Federico Coto Fajardo · ‎02-25-2010

Seems like regular NetBIOS traffic being broadcasted.

Still don't knoiw why is reaching your esoft Gateway or even the 3845.

Federico.

Jon Marshall · ‎02-25-2010

As Federico says this is Windows netbios traffic. Netbios can be a very chatty protocol.

Do all your remote sites use a default-route to get to the site where the gateway is ?

Edit - the other thing to note is that this is a directed broadcast ie. 192.168.1.255. This could be caused by an IP helper address on one of your remote site routers.

Jon

davidjknapp · ‎02-26-2010

I get how the packets are traversing, and yes the main site is the default gateway for all daughter sites. My fear is a rouge router or WAP plugged in (linksys comes to mind) that is broadcasting unsecured and attached to our network.

Understanding I can use acl's at the hub or at all the sites to block the traffic, I would still very much like to find the source. Is there a way of doing that?

Thanks for all the help!!

Jon Marshall · ‎02-26-2010

How many daughter sites do you have ?

The next step would be to apply the acl you have in each daughter site to work out which one is originating the packets.

Jon

davidjknapp · ‎02-26-2010

There are 17 Daughter sites. Will take a while, but it would be best to impliment ACL's at each site anyway to drop any packets not meant for our network or from the network at that site.

Thanks a lot Both of you have been a great help.