• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 325
  • Last Modified:

Source of scan

My sonic firewall log has this entry "Probable TCP NULL scan dropped". The source is from our off site office which has 20 computers(mix of w98 & XP). How can I determine which computer is doing the scan?  I have (current) CA antivirus program running  all computers.
2 Solutions
Do you have access or remote access to the other network? I assume the computers in the offsite office are all behind a router / firewall. Your going to need to sniff the network at the remote site. Alternatively, can you telnet into that router and dump it's logs? If logging is enabled on it, it should show you a routing table with time stamps which would correspond to your logfiles...


Or if you are doing nat on the other end its a bit difficult to guess until n unless the log files are stored...It could be some one seriously trying to have some fun...or even the error with firewall interpretation cant be ruled out...
As mugman21 mentioned if you can listen to the remote traffic or sniff there continuously it may be possible to find out the culprit...
Or enable logging on the NAT device n make sure the time is sync to NTP so you can correlate with the event..
eliallenAuthor Commented:
Thanks, I think it was a error in the firewall.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now