Sniffing traffic with Ethereal/Wireshark

I have a strange IP with this message from my PIX: Error  ---  %PIX-3-305005: No translation group found for udp src inside:169.254.18.19/138dst outside:169.254.255.255/138.
I want to find the IP 169.254.18.19. I have some PCs linked to a switch Zyxel and one cable that go from zyxel to Catalyst switch that gives internet connection. So i have put the Zyxel cable inside a 3com HUB, a cable from HUB to Catalyst and a cable From HUB to an external PC. In this PC i have installed Ethereal/Wireshark to sniff all traffic. Is all this correct? i have tu put the cables inside the HUB in some order? After sniffing the traffic i have analysed the packets but there is nothing about that IP. Have I  to filter in some way the traffic?
s_quasarAsked:
Who is Participating?
 
s_quasarConnect With a Mentor Author Commented:
Oh man! All this mess and the problem was my PC! I don't know why but i have unplugged my network cable for a time and when i reattach it the problem is disappeared!! For test i have used another IP (192.168.0.x), then i have made an attempt of connection with UNC to receive error from pix in email.
it's strange because the error is arrived but from an IP like present in the initial question. This is the error I have received:
%PIX-3-305005: No translation group found for tcp src inside:169.254.25.142/1219 dst server:10.2.1.52/139
%PIX-3-305005: No translation group found for tcp src inside:169.254.218.201/1220 dst server:10.2.1.52/139
%PIX-3-305005: No translation group found for tcp src inside:169.254.25.142/1193 dst server:10.2.1.52/139
and others....................this is very strange!!!
But I have finally risolved the problem! :)
0
 
vishal_impactCommented:
HI
You might be able to filter it by protocols as well but the ip you are saying might be one traced if any request is coming in or anything like that can you post the exact details of the protocols you used for search when you got this ip traced and also the screenshot of the ip address like will .
thnx
vish
0
 
s_quasarAuthor Commented:
I have used this filter: ip.addr == 169.254.18.19.
This address is traced inside the PIX exactly every 12 minutes. Today i had more than 300 email in my mailbox after weekend......
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
vishal_impactCommented:
ok
can you do tracert on the same address and do ping i will get more details for you when you post me the reply of this
thanks
Vish
0
 
vishal_impactCommented:
hi
looks sturdy thing to me as i rec its internal ip i cant get more infor without your tracert result also try to do reverse lookup so we can get more info as possible before reaching  to any point hope you agree
0
 
s_quasarAuthor Commented:
Mmmm.........maybe I don't understand..........if i do tracert from my DMZ inside i can't find nothing because my internal range ip address is 10.2.2.x. It's the same with ping command.
0
 
vishal_impactCommented:
hmm
sorry as i realized that only i am looking a way round to get more details on the ip so can you post me a sxcreenshot which i asked for
0
 
s_quasarAuthor Commented:
I don't know from where this address is coming..........which screenshot do you want? The only things i have are the pix syslog (and this is present in my initial question) and the captured traffic with wireshark.
0
 
Chris DentPowerShell DeveloperCommented:

Sorry to interject so late in the posting.

The address you're looking (169.254.x.x) at is a DHCP Auto-Configuration Address. DHCP clients will receive an address in that range if they fail to obtain an address from a DHCP Server.

As Port 138 (UDP) is used for NetBIOS Broadcast the Destination address makes sense (169.254.255.255).

As it looks to me like internal traffic, you should also have a valid MAC address. Can you look at the possible causes with that instead?

Chris
0
 
s_quasarAuthor Commented:
This is the problem.........I know that this is a DHCP Auto-Configuration Address (apipa) but i don't know from where this address come on!!! This is the reason with I have used a sniffer.....
0
 
Chris DentPowerShell DeveloperCommented:

Inside or Outside? Reading that as Inside. If it is, don't you have a MAC address?

If you have a MAC Address.... I forget, but can't Catalyst Switches tell you the MAC Addresses plugged into each Port?

Chris
0
 
s_quasarAuthor Commented:
The problem is that in the port i have another switch linked (a Zyxel) as i have wrote in initial question. i used the command "sh arp" in the pix but this is not useful because the IP in association with MAC address is not present.
0
 
Chris DentPowerShell DeveloperCommented:

Ahh sorry, my apologies.

No management on the Zyxel at all then?

Lots of clients to eliminate on there?

If you think the address is currently active, can you add another machine on your network with an address in that range? Then see if you can attach to it on anything meaningful (file share, www server, smtp server, etc etc)?

Chris
0
 
vishal_impactCommented:
ok
are you using any ipphones from the same switches
0
 
s_quasarAuthor Commented:
There is no IP Phone. I have tried to insert an ip in the same range (169.254.18.22 for example). Trying to connect via FTP there is a response but the connection is not established. Using TCPview.exe from my pc i view an attempt of connection via FTP but i can't view the MAC address. I have put the ip with subnet 255.255.0.0 and if I connect via FTP to another IP different from 169.254.18.19 changing the last two octets with other number the result is the same.
0
 
Chris DentPowerShell DeveloperCommented:

I'd be fairly sure it's a Windows machine, can't see what else would be broadcasting NetBIOS traffic.

Does it allow you to ping the IP address from the same range?

Chris
0
 
s_quasarAuthor Commented:
I can't ping the address and \\169.254.18.19 don't work.
0
 
Chris DentPowerShell DeveloperCommented:

Typical, any machines unaccounted for attached to the switch? How many are there (roughly)?

Chris
0
 
s_quasarAuthor Commented:
The problem is no from client because in the night when every PC is closed the error it's always the same. But if a PC is off the electricity is up.........can the NIC put out packets also in this case?
0
 
Chris DentPowerShell DeveloperCommented:

Depends how closed down the mainboard is. But Broadcasting NetBIOS traffic means the OS is up and running, so it wouldn't just be the NIC.

The DHCP Server is unavailable over night?

If we go back to the packet sniffing, you have the MAC from that (I hope) does that match anything listed in the current DHCP Leases?

Chris
0
 
s_quasarAuthor Commented:
There are other machine up every time. Developer/file server, antivirus/pixlog server, DC, my PC (but this i have already tried to shutdown with no result), Nagios server (this is break/blocked but up maybe I can try to shutdown it) and an old developer server (I'm using this for sniffing).
If this can help when this IP is coming up I'm doing a vmware P2V (phisycal to virtual) image. I've lunched it from my pc 10.2.2.x to do a virtual machine from ip 10.2.1.x to another machine in the same DMZ (from pix settings i can enter in that DMZ but I can't receive data from that)
0
 
Chris DentPowerShell DeveloperCommented:

It can't be directly attached to the switch then or it'd be able to get a DHCP address. The virtual image you have doesn't have a 169.254 address though I take it?

Chris
0
 
s_quasarAuthor Commented:
The virtual image is off and the virtual NICs in my PC are disabled.
0
 
Chris DentPowerShell DeveloperCommented:

d'oh!

At least you found it in the end :)

Chris
0
All Courses

From novice to tech pro — start learning today.