First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How do I figure out why advanced ip scanner can see the ip address but I can't ping the ip address?

  • retag add tags

I've got a meraki firewall. My old camera network is on 192.168.1.0/24 network. On my PC, I am sitting with a 10.10.11.0/24 ip address, and I can ping the 192.168.1.254, which is the default gateway for the 192.168.1.0/24 network. However, I can't ping 192.168.1.108 which is the specific camera that is on the 192.168.1.0/24 network. Additionally, when I use advanced ip scanner, I can see the 192.168.1.108 as if it is online, but not yet pingable or reachable via HTTP. I am trying to do a packet capture, but really not sure how to capture or what expressions to use correctly to see maybe what is going on here??? Thoughts?

THank you,

js7's avatar
1
js7
asked 2021-11-20 14:48:43 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

The application does network discovery with port scans not a ping (ICMP) sweep:

No.     Time        Source          Destination    Proto  Len   Info
3212    19.564054   192.168.200.26  192.168.200.105 TCP 66  51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3213    19.568213   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0
3350    20.076142   192.168.200.26  192.168.200.105 TCP 66  [TCP Retransmission] [TCP Port numbers reused] 51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3357    20.080791   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0
3555    20.583165   192.168.200.26  192.168.200.105 TCP 66  [TCP Retransmission] [TCP Port numbers reused] 51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3558    20.587136   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0
3627    21.098360   192.168.200.26  192.168.200.105 TCP 66  [TCP Retransmission] [TCP Port numbers reused] 51955 → 4899 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
3629    21.103232   192.168.200.105 192.168.200.26  TCP 60  4899 → 51955 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0

If the firewall allows the outbound SYN and the camera responds that the port is not available (RST,ACK for this test device) then the application knows there exists a device with that IP address.

image description image description image description

Chuckc's avatar
3k
Chuckc
answered 2021-11-22 05:10:03 +0000, updated 2021-11-22 05:13:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thus it's likely that the firewall is blocking ICMP requests or replies (as used by ping).

grahamb's avatar grahamb (2021-11-22 09:19:12 +0000) edit
more
  • delete

Thank you both for your help.

@grahamb - I want to say the first mistake I made was I did a packet capture on the Meraki firewall, and I was capturing the wrong interface, I was capturing the "Internet" port, which obviously did not show in the packet capture for when I was looking for either my laptop 10.10.11.3 or the camera itself 192.168.1.108. I don't think the firewall is blocking ICMP requests or replies... the reason why is because I can ping the gateway/virtual interface of 192.168.1.254.

@Chuckc - Now that I begin to do the packet capture on the correct interface the "LAN" interface, I saw both the 10.10.11.3 (my laptop) and 192.168.1.108 (camera). Can you elaborate more on your screenshots and responses?

The application does network discovery with port scans not a ...

(more)
js7's avatar js7 (2021-11-22 13:15:28 +0000) edit
more
  • delete

@js7, I thought you said the ping to the device failed, if that's still the case, then either the device doesn't respond to the ping, or it does but because of misconfiguration it doesn't send it via the expected default gateway, or it does the correct thing but any intervening devices, e.g. the Meraki blocks it.

Just because the Meraki isn't blocking ICMP to its own interface address on the 192.169.1.0/4 subnet doesn't mean it's allowing anything out (or back).

grahamb's avatar grahamb (2021-11-22 14:10:39 +0000) edit
more
  • delete

@grahamb, yes the ping to the device failed when it was on the 192.168.1.0/24 network.

What if I put the camera back on the 192.168.1.0/24 network with ip address of 192.168.1.108 and see if I can recreate the problem? How can I use packet capture or what exactly should I capture to figure out what is going on.

Perhaps like you said the Meraki isn't blocking ICMP to its own interface? but it does block it on the other networks?

js7's avatar js7 (2021-11-22 14:16:53 +0000) edit
more
  • delete

Like any form of packet drop, finding the culprit is matter of moving the capture point further along the chain between sender and receiver which is often easier said than done, especially on a home environment.

First consider do you actually need ICMP to the camera, if not, then it's not an issue.

grahamb's avatar grahamb (2021-11-22 14:24:35 +0000) edit
more
  • delete
add a comment see more comments
0

From the limited documentation I've seen it tries several services in the given network range to establish if a host is present. What you can do is set a capture filter expression host 192.168.1.108, start the capture and start the scanner. This way all other traffic will be left out and the protocol exchanges should be obvious.

Jaap's avatar
13.7k
Jaap
answered 2021-11-21 09:16:55 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer