Government Security
Network Security Resources

Jump to content

192.168.0.255


  • Please log in to reply
11 replies to this topic

#1 Guest_KuunLB_*

Guest_KuunLB_*
  • Guests

Posted 13 August 2003 - 08:09 PM

ok,

i ran the packetmon thing that gsecur suggested...

i noticed some very... intriguing packets being sent....

both internal computers listed as 192.168.0.1 and 192.168.0.2 are sending apckets to this IP 192.168.0.255

on ports 17 137 139 2869 and a few others...

when i view the packet it has something referring to MShome.net

what is this?


00 00 00 C0 AC 00 00 00 0F 00 00 00 00 00 00 00 ................
14 00 00 00 03 00 00 00 00 00 00 00 08 00 00 00 ................
00 00 00 00 3C 00 00 00 03 00 01 00 53 15 32 01 ....<.......S.2.
11 6E F3 06 2A 7C 03 00 C2 47 04 00 02 00 00 00 .n..*|...G......
16 00 00 00 D0 3C EA 1A 14 45 01 00 16 BB 02 00 .....<...E......
00 02 00 00 0B 00 00 00 11 00 00 00 00 00 00 00 ................
38 00 00 00 6D 73 68 6F 6D 65 2E 6E 65 74 00 00 8...mshome.net..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14 00 00 00 00 00 00 00 1C 00 00 00 40 5A B1 39 ............@Z.9
17 62 C3 01 0E 07 3B 3F 00 00 00 00 .b....;?....

this is the packet fro m192.168.0.1 which is my winME gateway machine....

what is 192.168.0.255 and why are packets being transferred?!

Kuun

#2 Jeremy

Jeremy

    Commander in Chief

  • Retired Admin
  • 2,459 posts

Posted 13 August 2003 - 08:30 PM

That is your networks broadcast address... tho some of the information might not seem legit, it is finein teh sense that it doesnt get sent anywhere outside of ur network.

#3 Guest_KuunLB_*

Guest_KuunLB_*
  • Guests

Posted 13 August 2003 - 08:32 PM

broadcast address?

what is that the IP of my hub?

#4 Jeremy

Jeremy

    Commander in Chief

  • Retired Admin
  • 2,459 posts

Posted 13 August 2003 - 08:53 PM

Most likely the hub's IP is watever ur gatway address is... i mean there is no way for me to tell from outsid your network tho.

#5 Guest_KuunLB_*

Guest_KuunLB_*
  • Guests

Posted 13 August 2003 - 08:57 PM

it's just a general setup

the winME machine is on dialup and sharing the internet through ICS to me through a 12 port HP advanced stgack J2600a

the ME macine is 192.168.0.1 and im 192.168.0.2

#6 packet

packet

    Specialist

  • Sergeant Major
  • 649 posts

Posted 14 August 2003 - 05:59 AM

The broadcast address is an IP that when it is sent to is broadcast out to all computers on the subnet and all computers listen for those broadcast traffic. On a network with a subnet mask of 255.255.255.0 (class C or /24) your brodcast adress would be x.x.x.255. So for you your network is 192.168.0.0/24 so the usable address range is 192.168.0.1 to 192.168.0.254 with a network address of 192.168.0.0 and a broadcast adress of 192.168.0.255.

Windows uses the broadcast address for communication and discovery of other windows boxes. (windows is pretty chatty)

--P.G.
Abusus non tolit usum
The gopher is back!

#7 Guest_KuunLB_*

Guest_KuunLB_*
  • Guests

Posted 14 August 2003 - 04:19 PM

oooooooooooooooooooohhhhhhhhhhhhh

now that you explain it that way.. cool i understand that

yeah... 3300 packets from network sources over a 7 hour period

#8 Guest_Security Guru_*

Guest_Security Guru_*
  • Guests

Posted 16 August 2003 - 06:50 AM

Like the other members said, that IP address 192.168.0.1 is a Class C IP address because it begins with 192 - 223 and it's also on a network. :D

If you see an IP address that start with:
10.0.0.0
172.0.0.0.0
192.168.0.1

watch out they are probably on a network or behind a proxy server. :blink:

#9 Guest_SKyLiNe_*

Guest_SKyLiNe_*
  • Guests

Posted 03 December 2003 - 02:49 AM

Like the other members said, that IP address 192.168.0.1 is a Class C IP address because it begins with 192 - 223 and it's also on a network. :D

If you see an IP address that start with:
10.0.0.0
172.0.0.0.0
192.168.0.1

watch out they are probably on a network or behind a proxy server. :blink:

Also known as Private Address ranges :D
"watch out they are probably on a network"
I guess what you mean is that they are either behind a router
or behind some type of NAT box :lol:

#10 Guest_ikkyu_*

Guest_ikkyu_*
  • Guests

Posted 04 December 2003 - 12:12 PM

I can say that port 137 sent to a network address is ms browsing, i.e. when you look in "network neighborhood" or whatever it's called these days this is how the entries get there

for a more indepth explaination of browsing all all the associated chatter
http://www.linux-mag...-05/smb_01.html

if you want a good way to tell if traffic is malignant or not I suggest http://www.snort.org

#11 Guest_Hardcore_*

Guest_Hardcore_*
  • Guests

Posted 04 December 2003 - 01:22 PM

Another thing is you mentioned a HUB. You may want to prevent some traffic and collision by spending $50 and buy a 4 port switch (linksys is good and cheap)...

Just a thought....

-Hardcore

#12 slimjim100

slimjim100

    Private First Class

  • Members
  • 29 posts

Posted 08 April 2004 - 01:11 AM

Hey not trying to be redundant but with a hub you only have one collision/broadcast domain so any traffic a PC sends will pass by all other PCs on that hub. That is why you need a switch. A switch creates a separate collision/broadcast domain per port so if you set it up right you have some privacy and saved bandwidth. Another reason to use a switch is so you can VLAN you ports and micro segment your network this will add some security. A switch also will give you better control and management over your LAN. The only thing I use hubs for is to combine SMTP traffic so I can save ports on my metro Switches when collecting MIBs.

Slimjim100




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users