# how to identify the origin of a paket

## alex.blackbit

hi,

i use shorewall on my internet gateway.

there i get log messages like these:

```
Apr 13 09:08:13 net4801 kernel: [1720895.203628] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=392 DF PROTO=TCP SPT=55963 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0 

Apr 13 09:08:13 net4801 kernel: [1720895.204976] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14767 DF PROTO=TCP SPT=55964 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0 

Apr 13 09:08:19 net4801 kernel: [1720901.198082] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=55878 DPT=1024 LEN=36 

Apr 13 09:37:49 net4801 kernel: [1722672.005149] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=7598 DF PROTO=TCP SPT=36471 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0 

Apr 13 09:37:49 net4801 kernel: [1722672.008780] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=2041 DF PROTO=TCP SPT=36472 DPT=1024 WINDOW=14600 RES=0x00 SYN URGP=0 

Apr 13 09:37:55 net4801 kernel: [1722677.311320] Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.0.2 DST=192.168.178.21 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=55878 DPT=1024 LEN=36
```

192.168.0.2 is my workstation.

the subnet 192.168.178.0 is not in use on my LAN.

i am searching for a way to identify which process emits those packets.

i tried with tcpspy which seems to miss those packets.

lsof does not help either.

who knows a way to log the process ID/name of packets that match certain criteria? in this case that would be the destination ip.

----------

## krinn

as it just query another local network ip, it might just be an application that was bind to that ip and you forget about it

as it query an answer from that ip port 1024 just check who is listening at 1024 (i suspect the query comes from the application that is also listening)

netstat --listen and look who's at 1024 (if anyone is there of 'course)

----------

## alex.blackbit

there is no ip 192.168.178.21 in my network, nothing in 192.168.178.0/24.

i don't understand what you mean regarding the destination port 1024.

on my workstation nothing is listening on 1024.

answer ? you think these are answer packets ?

why would the initial packets not have been logged?

please clarify.

EDIT: typoLast edited by alex.blackbit on Wed Apr 13, 2011 5:58 pm; edited 1 time in total

----------

## krinn

yep i think they are answers from a spoof query forged so your computer answer to that ip, and to port number 1024.

a simple icmp is enough for that, and the query might appears legit at first.

----------

## alex.blackbit

do have any ideas how i could find out where the problem comes from?

i.e. what host initially emitted the suspicious packet to which my workstation (192.168.0.2) answers.

----------

## Veldrin

Depends on how the setup is.

I'd definitely get a tcpdump from your own workstation, and if it is just to confirm that you are not the source...

Then either get another tcpdump from the firewall itself. 

Finally, analyse both dumps in wireshark. 

This should get you started; just replace IF, with the interface you are listening on (should be eth1 on the firewall), and omit -w /tmp/tcpdump to see the dump direly on the CLI.

```
# tcpdump -nnvvi IF -w /tmp/tcpdump host 192.168.178.21 and host 192.168.0.2 and port 1024
```

V.

----------

## alex.blackbit

in the mean time i found out that it's transmission that causes these packets.

the packets have the same source port for some time, so i checked that with lsof.

i will move to a different torrent client to see if it's a problem of the protocol or transmission itself.

thank you all.

----------

