Ask Your Question

Revision history [back]

Log analysis - suspicious inbound

I am relatively new to Wireshark analysis so apologies if this is straightforward, but I am puzzled by this one.

I am doing traffic analysis on a local machine using the following procedure: launching a capture on the Ethernet peripheric, plugging in my computer after it started (not to miss any packet sent) and then reviewing the log.

I have noticed that every time I did this, relatively early after plugging in the Ethernet cable, there was an external IP address sending a [FIN,ACK] packet to the local address (128.1.1.X) of my computer. My question is twofold:

  1. As most residential users, I am behind a residential gateway, acting as a router. How can an external address directly communicate with my machine?

  2. Why is this sending a [FIN,ACK] packet ? There is no other TCP stream with this address before (or at least none I could observe).

In case helpful, the external IP is 151.139.128.14. Googling the address resulted in a few hits but nothing really explanatory of this.

Log analysis - suspicious inbound

I am relatively new to Wireshark analysis so apologies if this is straightforward, but I am puzzled by this one.

I am doing traffic analysis on a local machine using the following procedure: launching a capture on the Ethernet peripheric, plugging in my computer after it started (not to miss any packet sent) and then reviewing the log.

I have noticed that every time I did this, relatively early after plugging in the Ethernet cable, there was an external IP address sending a [FIN,ACK] packet to the local address (128.1.1.X) (192.168.1.X) of my computer. My question is twofold:

  1. As most residential users, I am behind a residential gateway, acting as a router. How can an external address directly communicate with my machine?

  2. Why is this sending a [FIN,ACK] packet ? There is no other TCP stream with this address before (or at least none I could observe).

In case helpful, the external IP is 151.139.128.14. Googling the address resulted in a few hits but nothing really explanatory of this.