THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Log analysis - suspicious inbound

I am relatively new to Wireshark analysis so apologies if this is straightforward, but I am puzzled by this one.

I am doing traffic analysis on a local machine using the following procedure: launching a capture on the Ethernet peripheric, plugging in my computer after it started (not to miss any packet sent) and then reviewing the log.

I have noticed that every time I did this, relatively early after plugging in the Ethernet cable, there was an external IP address sending a [FIN,ACK] packet to the local address (192.168.1.X) of my computer. My question is twofold:

  1. As most residential users, I am behind a residential gateway, acting as a router. How can an external address directly communicate with my machine?

  2. Why is this sending a [FIN,ACK] packet ? There is no other TCP stream with this address before (or at least none I could observe).

In case helpful, the external IP is 151.139.128.14. Googling the address resulted in a few hits but nothing really explanatory of this.

ArnaudM's avatar
1
ArnaudM
asked 2019-08-07 17:26:47 +0000, updated 2019-08-09 13:22:39 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Hi, most residential gateway use NAT between the public IP address you get from the ISP and the private IP addresses on your local (home) network. Are you using NAT? When you say 128.1.1.X is a local address, what do you mean? 128.1.1.X seems to belong to Zenlayer and it's a public IP address.

Spooky's avatar Spooky (2019-08-08 01:51:51 +0000) edit
more
  • delete

Yes you're right - I mistyped the local IP address. I edited the post to fix this. Thanks for pointing out

ArnaudM's avatar ArnaudM (2019-08-09 13:23:24 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

Hi Arnaud,

There are a few reasons you might see this traffic.

One reason could be that your computer does initiate a TCP connection to 151.139.128.14 when it is plugged in and you are capturing FIN/ACK because the connection is now being closed. (timeout?)

Now, if this happens every time then look into capturing traffic to and from 151.139.128.14 over a longer period. This is to allow you to capture the TCP connection being initiated by the computer. TCP connection may be long-lived so it may have been established when the computer was plugged and "held" by the remote host when you unplugged your computer. (Try leaving the cable plugged when you power down so that your TCP/IP stack has time to close all connections before signing off. Only when it's off do you want to unplug the cable.)

Another reason is that it is possible your residential gateway has your computer setup in a DMZ. This would allow pretty much any Internet host to send you traffic of any kind directly.

Hope this helps.

Cheers,

JFD

Spooky's avatar
191
Spooky
answered 2019-08-13 01:51:42 +0000, updated 2019-08-13 01:52:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

This is a good answer. To add to this, most firewalls are "stateful" - they will maintain a list of active TCP/UDP connections. Depending on your residential gateway, it may be stateful, and you may be able to set the timeout for these connections (I've seen 5-15 min).

Agreeing with JFD, it's worth checking out how accessible your computer is from the internet.

Ross Jacobs's avatar Ross Jacobs (2019-08-13 02:15:27 +0000) edit
more
  • delete

Thanks for the replies. I would be surprised my computer to be set in DMZ by the router, does not sound like what it should be doing by default, any way I could check this ?

I will try to capture packets over a longer time period with appropriate filters to see when connection is initiated.

ArnaudM's avatar ArnaudM (2019-08-20 14:16:01 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer