Spoofed source address in wg firewall log
Scenario same machine with WG Fb100 mgnt console one nic card with static IP:
nbtstat -a "servername" shows a node using the spoofed address 169.254.65.133 for "lan address 2", which doesnt' exist when you look under nw connections. Both the real IP and spoofed address info displayed reflect the same IP address. The machine on ly has one nic card. RRAS and any other service I can think of that could relate to this disabled/not running. Machine is server 2k2. WG example below of logged spoofed. I'm not sure how else to troublehsoot this. THe machine is running acronis mgmt console as well as vmware converter and a smtp service for avya unified messging sytem. The entries were numerous in the firewall this a.m. and our internet slows down, but all the sudden stopped. Any suggestion of where else on board to post this question, also, plese let me know.
spoofed.bmp
nbtstat -a "servername" shows a node using the spoofed address 169.254.65.133 for "lan address 2", which doesnt' exist when you look under nw connections. Both the real IP and spoofed address info displayed reflect the same IP address. The machine on ly has one nic card. RRAS and any other service I can think of that could relate to this disabled/not running. Machine is server 2k2. WG example below of logged spoofed. I'm not sure how else to troublehsoot this. THe machine is running acronis mgmt console as well as vmware converter and a smtp service for avya unified messging sytem. The entries were numerous in the firewall this a.m. and our internet slows down, but all the sudden stopped. Any suggestion of where else on board to post this question, also, plese let me know.
spoofed.bmp
Mohamed Osama
Are you sure this is not related to perhaps VMWARE virtual NAT / NIC settings ?
On the one hand, I would say that the source IP address looks like an APIPA configured address and would hint that the machine in question was unable to contact your DHCP server for a proper IP address (read more about APIPA at http://blogs.technet.com/networking/archive/2009/01/29/dhcp-client-behavior.aspx).
On the other hand, it seems mighty suspicious that the source would contact hosts on the internet via UDP 137 (NETBIOS Name Service)
On the other hand, it seems mighty suspicious that the source would contact hosts on the internet via UDP 137 (NETBIOS Name Service)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You're right about the netbios explanation on the UDP 137 port, while I haven't completely resolved the issue(s), so far. Accepting and closing question, though. Thx