Log analysis - suspicious inbound

asked 2019-08-07 17:26:47 +0000

ArnaudM
1 ●1 ●1 ●2

updated 2019-08-09 13:22:39 +0000

I am relatively new to Wireshark analysis so apologies if this is straightforward, but I am puzzled by this one.

I am doing traffic analysis on a local machine using the following procedure: launching a capture on the Ethernet peripheric, plugging in my computer after it started (not to miss any packet sent) and then reviewing the log.

I have noticed that every time I did this, relatively early after plugging in the Ethernet cable, there was an external IP address sending a [FIN,ACK] packet to the local address (192.168.1.X) of my computer. My question is twofold:

As most residential users, I am behind a residential gateway, acting as a router. How can an external address directly communicate with my machine?
Why is this sending a [FIN,ACK] packet ? There is no other TCP stream with this address before (or at least none I could observe).

In case helpful, the external IP is 151.139.128.14. Googling the address resulted in a few hits but nothing really explanatory of this.

Comments

Hi, most residential gateway use NAT between the public IP address you get from the ISP and the private IP addresses on your local (home) network. Are you using NAT? When you say 128.1.1.X is a local address, what do you mean? 128.1.1.X seems to belong to Zenlayer and it's a public IP address.

Spooky ( 2019-08-08 01:51:51 +0000 )edit

Yes you're right - I mistyped the local IP address. I edited the post to fix this. Thanks for pointing out

ArnaudM ( 2019-08-09 13:23:24 +0000 )edit

add a comment

answered 2019-08-13 01:51:42 +0000

Spooky

191 ●47 ●7 https://www.wireshark.org

updated 2019-08-13 01:52:35 +0000

Hi Arnaud,

There are a few reasons you might see this traffic.

One reason could be that your computer does initiate a TCP connection to 151.139.128.14 when it is plugged in and you are capturing FIN/ACK because the connection is now being closed. (timeout?)

Now, if this happens every time then look into capturing traffic to and from 151.139.128.14 over a longer period. This is to allow you to capture the TCP connection being initiated by the computer. TCP connection may be long-lived so it may have been established when the computer was plugged and "held" by the remote host when you unplugged your computer. (Try leaving the cable plugged when you power down so that your TCP/IP stack has time to close all connections before signing off. Only when it's off do you want to unplug the cable.)

Another reason is that it is possible your residential gateway has your computer setup in a DMZ. This would allow pretty much any Internet host to send you traffic of any kind directly.

Hope this helps.

Cheers,

JFD

edit flag offensive delete link

Comments

This is a good answer. To add to this, most firewalls are "stateful" - they will maintain a list of active TCP/UDP connections. Depending on your residential gateway, it may be stateful, and you may be able to set the timeout for these connections (I've seen 5-15 min).

Agreeing with JFD, it's worth checking out how accessible your computer is from the internet.

Ross Jacobs ( 2019-08-13 02:15:27 +0000 )edit

Thanks for the replies. I would be surprised my computer to be set in DMZ by the router, does not sound like what it should be doing by default, any way I could check this ?

I will try to capture packets over a longer time period with appropriate filters to see when connection is initiated.

ArnaudM ( 2019-08-20 14:16:01 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Log analysis - suspicious inbound

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Log analysis - suspicious inbound edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Log analysis - suspicious inbound