Ask Your Question
0

How do I figure out why advanced ip scanner can see the ip address but I can't ping the ip address?

asked 2021-11-20 14:48:43 +0000

js7 gravatar image

I've got a meraki firewall. My old camera network is on 192.168.1.0/24 network. On my PC, I am sitting with a 10.10.11.0/24 ip address, and I can ping the 192.168.1.254, which is the default gateway for the 192.168.1.0/24 network. However, I can't ping 192.168.1.108 which is the specific camera that is on the 192.168.1.0/24 network. Additionally, when I use advanced ip scanner, I can see the 192.168.1.108 as if it is online, but not yet pingable or reachable via HTTP. I am trying to do a packet capture, but really not sure how to capture or what expressions to use correctly to see maybe what is going on here??? Thoughts?

THank you,

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2021-11-22 05:10:03 +0000

Chuckc gravatar image

updated 2021-11-22 05:13:15 +0000

The application does network discovery with port scans not a ping (ICMP) sweep:

No.     Time        Source          Destination    Proto  Len   Info
3212    19.564054   192.168.200.26  192.168.200.105 TCP 66  51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3213    19.568213   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0
3350    20.076142   192.168.200.26  192.168.200.105 TCP 66  [TCP Retransmission] [TCP Port numbers reused] 51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3357    20.080791   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0
3555    20.583165   192.168.200.26  192.168.200.105 TCP 66  [TCP Retransmission] [TCP Port numbers reused] 51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3558    20.587136   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0
3627    21.098360   192.168.200.26  192.168.200.105 TCP 66  [TCP Retransmission] [TCP Port numbers reused] 51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3629    21.103232   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0

If the firewall allows the outbound SYN and the camera responds that the port is not available (RST,ACK for this test device) then the application knows there exists a device with that IP address.

image description image description image description

edit flag offensive delete link more

Comments

Thus it's likely that the firewall is blocking ICMP requests or replies (as used by ping).

grahamb gravatar imagegrahamb ( 2021-11-22 09:19:12 +0000 )edit

Thank you both for your help.

@grahamb - I want to say the first mistake I made was I did a packet capture on the Meraki firewall, and I was capturing the wrong interface, I was capturing the "Internet" port, which obviously did not show in the packet capture for when I was looking for either my laptop 10.10.11.3 or the camera itself 192.168.1.108. I don't think the firewall is blocking ICMP requests or replies... the reason why is because I can ping the gateway/virtual interface of 192.168.1.254.

@Chuckc - Now that I begin to do the packet capture on the correct interface the "LAN" interface, I saw both the 10.10.11.3 (my laptop) and 192.168.1.108 (camera). Can you elaborate more on your screenshots and responses?

The application does network discovery with port scans not a ...

(more)
js7 gravatar imagejs7 ( 2021-11-22 13:15:28 +0000 )edit

@js7, I thought you said the ping to the device failed, if that's still the case, then either the device doesn't respond to the ping, or it does but because of misconfiguration it doesn't send it via the expected default gateway, or it does the correct thing but any intervening devices, e.g. the Meraki blocks it.

Just because the Meraki isn't blocking ICMP to its own interface address on the 192.169.1.0/4 subnet doesn't mean it's allowing anything out (or back).

grahamb gravatar imagegrahamb ( 2021-11-22 14:10:39 +0000 )edit

@grahamb, yes the ping to the device failed when it was on the 192.168.1.0/24 network.

What if I put the camera back on the 192.168.1.0/24 network with ip address of 192.168.1.108 and see if I can recreate the problem? How can I use packet capture or what exactly should I capture to figure out what is going on.

Perhaps like you said the Meraki isn't blocking ICMP to its own interface? but it does block it on the other networks?

js7 gravatar imagejs7 ( 2021-11-22 14:16:53 +0000 )edit

Like any form of packet drop, finding the culprit is matter of moving the capture point further along the chain between sender and receiver which is often easier said than done, especially on a home environment.

First consider do you actually need ICMP to the camera, if not, then it's not an issue.

grahamb gravatar imagegrahamb ( 2021-11-22 14:24:35 +0000 )edit
0

answered 2021-11-21 09:16:55 +0000

Jaap gravatar image

From the limited documentation I've seen it tries several services in the given network range to establish if a host is present. What you can do is set a capture filter expression host 192.168.1.108, start the capture and start the scanner. This way all other traffic will be left out and the protocol exchanges should be obvious.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-11-20 14:48:43 +0000

Seen: 141 times

Last updated: Nov 22