Solved

how to determine IP of wireless device

Posted on 2014-11-05
25
260 Views
Last Modified: 2014-11-18
How can I determine the public IP associated with a wireless device? For example, using `iwconfig wlan0 scan` I can get the ESSID and MAC address, but no IP is listed. The reason I am asking is because our building ISP said that someone from our office made an unauthorized access from a wireless device assigned to us. He provided the IP. I am trying to determine if this IP is associated with one of our wireless devices.
0
Comment
Question by:jmarkfoley
  • 7
  • 7
  • 5
  • +2
25 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 40425213
Most devices use DHCP, so it may be difficult to pin an IP to a specific device. If you did, you would have to get access to it to see if you can see wireless access logs.

If your wireless is probably secured, such access should be limited anyway.
0
 
LVL 5

Expert Comment

by:SerjTech
ID: 40425224
When you say "public IP" what do you actually mean?

In most set ups all internal devices have a network internal IP address and once they hit the router and onto the ISP network they all use the same public IP address. Unless you have a different setup  or talking about something that not a standard computer network setup.

If they have given you an internal IP to trace then it all depends on your setup. If devices are given IP's by DHCP then you might be out of luck as they might have changed IP's by now depending on the lease time.

If the lease time is long or the IP's are static you could either check the DNS or DHCP server to see if the IP is listed with a client computer name.  From a Windows PC you could in theory do a nslookup 192.168.1.1 etc or run the command arp -a which might help trace it down little.

This all depends on your setup within your office / building as unable to give any detailed information until know a bit more details.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40425271
You have the MAC addresses.  Run this command at the command prompt:

arp -a
This will give you a list of MAC addresses with their associated IP addresses.

And, you can run:
nbtstat -a [ipaddress] without the brackets
and get the name of the device if it has one.

Oh, but you said "public IP"  - why is that an issue?  Unless you have more than one, it would be the same for everyone.  Google "what is my IP" and they should all be the same.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40425340
OK, I need to provide more information ...

The building has several wireless access points, 4 of which could be construed as belonging to our office, the others belong to other tenants. Our ISP said the problem occurred on IP 64.128.165.39 which, they say, is assigned to us. This, of course, is the incoming IP from the building router/switch to the wireless local router. As you all have pointed out, when e.g. a laptop connects to one of these devices it gets a DHCP address such as 192.168.0.10, but we can't see what the "incoming" IP is. Now, I could do so in some cases by connecting to the Admin IP of the router and looking at the admin page settings, but some of these are wireless access points created by the ISP and don't really have Admin pages.

For example, my home Linksys router connects to Time-Warner and gets the IP address 76.181.64.99 from the cable modem. Since the Linksys is doing dhcp for my home computers, its LAN address is 192.168.0.1, and that is the address all the LAN connected devices see. What I'm trying to figure out is how to see the 76.181.64.99 address which is what I'm calling the "public" or "incoming" address.

Ideally, given the "incoming" IP address, I'd like to run some command that shows the SSID, or visa versa, e.g.

getSSID 64.128.165.39
  or
getIP "mySSID"

fmarshall: arp -a, did give me the LAN IP of the wireless network to which I am connected: 192.168.1.1, but not the incoming-to-the-router IP.

I don't have nbstat and it does not appear to be in the Ubuntu repository nor is it on my Windows box.

I can get the MAC addresses of these wirelesses, but how to correlate that with IP? I though nmap would return MAC addresses, but I haven't figured out how to do that yet.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40425347
You cannot necessarily correlate MAC and IP because the device is almost certainly DHCP and will give up its IP (may give up its IP) when it disconnects.

 Our ISP said the problem occurred on IP 64.128.165.39 which, they say, is assigned to us <-- ISP's are now supplying wireless on their modems. Turn that OFF or secure it so no one can access. If no one paid attention to this and did not secure it, there is your issue.

Use your own wireless for access and secure it as well.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40425398
As I suggested, Google "What is my IP" from a computer on your network.  That will give you your public IP address and should either confirm or deny that the ISP is correct in their claim.

You should have nbtstat on your Windows box.  Maybe it's a matter of turning on some Windows features.
For Linux, I found this:
alias nbtstat
nmblookup -S -U <server> -R

You are likely not going to get the public address from any wireless SSID because they should all be on private subnets and unaware of any public addresses.

I'm a bit unclear as to the objective here.  You mention receiving reports about an "unauthorized" access.  What constitutes that???

The normal situation is that you have a "rogue" connection and want to find the device.  This has nothing at all to do with the public IP address.  It has everything to do with a private IP address.
The process usually goes like this:
1) determine the PRIVATE IP address of the rogue connection.
2) map that private IP to a MAC address.
3) grok the MAC address to get the manufacturer of the device.
4) ken the manufacturer of the device to the type of device/user the rogue connection is/might be.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40425406
You might be asking yourself if this is worth an ounce of prevention?

It's not clear yet what the ISP is complaining or reporting about.......

One example would be to assign known IP addresses to known MAC addresses.  It's a bit of an administrative load but it will work.  You just have to keep up with the new devices being introduced all the tiem.  MAC addresses are easy to copy / then spoof but that's at another level of sophistication for the user; so it's not a bad idea to start right there.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40425447
fmarshall: > It's not clear yet what the ISP is complaining or reporting about.......

Here's what our ISP wrote:
I am sorry to have to send you this.  We received a copyright infringement
notice of pornography coming from an IP address that is assigned to the <xxx>
office.  I have confirmed that this is an IP address that we assigned to your
company and it terminates at 6161 <address>.  It was reported at
around noon yesterday, I just received the complaint this afternoon.

Please let us know if you need help tracking it down.  Given that we have never
seen this before, It is more than likely a temporary computer (Laptop) that
someone may have attached to your network.  I tried to scan for the open port
today and did not see it.  Most likely it was someone that was in your office
yesterday.  Did you have any vendors or outsiders in your office yesterday with
a computer that would have attached to the network?

64.128.165.39 Ohio State xxx System WAN IP

Work Title: Lesbian Family Affair
Copyright Owner: Combat Zone Inc
Unauthorized File Name: Lesbian Family Affair ( NEW 2014 FILLY FILMS ) [ DVD RIP ALL 4 SPLIT SCENES ]
Unauthorized Hash: 719791471bb04eb5c357500f8102b3ba8e30dec1
Unauthorized File Size: 1342806857 bytes
Unauthorized Protocol: BitTorrent
Timestamp: 2014-11-04 12:01:21 North American Eastern Time
Unauthorized IP Address: 64.128.165.39
Unauthorized Port: 1190

64.128.165.39 Ohio State Highway Patrol Ret. System WAN IP


Work Title: Lesbian Family Affair
Copyright Owner: Combat Zone Inc
Unauthorized File Name: Lesbian Family Affair ( NEW 2014 FILLY FILMS ) [ DVD RIP ALL 4 SPLIT SCENES ]
Unauthorized Hash: 719791471bb04eb5c357500f8102b3ba8e30dec1
Unauthorized File Size: 1342806857 bytes
Unauthorized Protocol: BitTorrent
Timestamp: 2014-11-04 12:01:21 North American Eastern Time
Unauthorized IP Address: 64.128.165.39
Unauthorized Port: 1190

Open in new window


fmarshal: > You might be asking yourself if this is worth an ounce of prevention?

Yes, of course, we will likely disconnect some of the wireless devices, but first we want to know which device. In one case it might be a building-public, no security device, in another case it might be a secure wireless meaning someone would have to know, or to have hacked, the password, in another case it could be the phone system (why that has a wireless, I don't know!), which also implies known or hacked password.

Someone connected via a wireless device to a bit-torrent site and downloaded a movie -- that's the "unauthorized" bit. The ISP is assuming that someone physically inside our office connected with e.g. a laptop. He is mistaken in that we have no wireless devices as part of our office LAN, all wireless are separate from the office LAN and could have been accessed from almost anywhere in the building. These wireless devices are "ours" only in that we requested them for access from conference rooms, but they are not connected to the office LAN and get their IP addresses from the building Cisco switch (not the office server). Clearly there are implications of responsibility/liability with this situation which need to be cleared up.

I will disable and secure things, but first I want to know *which* device is involved. The ISP gave us the IP, and I can get MAC and SSID from `iwlist wlan0 scan`. I'm trying to connect these. So far, it appears that this is not doable unless the device is part of the probing computer's subnet -- which is not the case.

I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets. Our office has 3 public IPs, none of which are consecutively numbered or on their own subnet.

Any other ideas?
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 200 total points
ID: 40425647
This appears to be quite confused.   I will attempt to address what you've said in this last post:

Our office has 3 public IPs, none of which are consecutively numbered or on their own subnet.
Well, they are likely on an ISP subnet or subnets but that doesn't matter here.  Apparently the ISP has identified which of the 3 was involved.  Is that correct?  If so, we are down to ONE public IP.  Is that correct?

I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets
This is confusing because you don't qualify them as public or private.  Thus, it's hard to interpret the meaning.  Please clarify.

The ISP gave us the IP,
The ISP gave you the public IP, right?  The ISP did not give you the private IP, right?  Please answer these questions.

I can get MAC and SSID from `iwlist wlan0 scan`. I'm trying to connect these. So far, it appears that this is not doable unless the device is part of the probing computer's subnet -- which is not the case.
If you mean that using arp -a, nbtstat -a [ipaddress] and so forth will only work if you're connected to the offending private subnet then that's correct.  If you want to learn about a network with tools like this, you have to be connected to the network.  Other networks are just foreign to the process.

Someone connected via a wireless device to a bit-torrent site and downloaded a movie -- that's the "unauthorized" bit.
 If you don't know the private IP address of the "someone" then how do you know it's wireless?  There may be important information in the answer.

The ISP is assuming that someone physically inside our office connected with e.g. a laptop.
I see nothing in the ISP's message that suggests this.  How would they even be able to venture a guess?

He is mistaken in that we have no wireless devices as part of our office LAN, all wireless are separate from the office LAN and could have been accessed from almost anywhere in the building.
 Once more, I don't see where they asserted anything of the kind and, for that matter, how would they know?  But, of course, you may know because of the public IP address involved.

These wireless devices are "ours" only in that we requested them for access from conference rooms, but they are not connected to the office LAN and get their IP addresses from the building Cisco switch (not the office server). Clearly there are implications of responsibility/liability with this situation which need to be cleared up.
OK.  So there are multiple subnets on VLANs no doubt.  The scheme for associating these various subnets/VLANs to particular public IP addresses is unclear.  The message from the ISP seems to not have anything to do with the "office LAN and/or the office server.

Yes, of course, we will likely disconnect some of the wireless devices
, That may well be your intent but how that affects the intended service to be provided is unclear.

but first we want to know which device
. I believe this has been covered pretty well by now.

 
In one case it might be a building-public, no security device, in another case it might be a secure wireless meaning someone would have to know, or to have hacked, the password, in another case it could be the phone system (why that has a wireless, I don't know!), which also implies known or hacked password.
Yes, that concern is very understandable.

 
I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets.
That there are no subnets seems most unlikely and, in fact, seems an impossibility.  Perhaps we have some mixup in terminology.  That could get in the way of helping solve the problems.

 
Our office has 3 public IPs, none of which are consecutively numbered or on their own subnet.
 OK.  That's fine.  But apparently there is only one that's involved in this case.  How are the public IP addresses used throughout the facilities?

Any other ideas?
 Yes.  It appears there are a few concerns here and I would encourage you to tackle them separately:
- The ISP is concerned about the type of traffic it appears.  You may not be able to do anything about that as it's in the past.  And, the other issues should take care of this.  Should ... but may not.
- You are concerned about someone hacking into your secured network.  The solution has nothing to do with what the ISP was seeing.  If the connection is gone then it's gone.  If it might recur then you should be equipped to deal with that.
That's why I suggested using reserved IP addresses in the DHCP that are tied to MAC addresses.  This may be problematic if you don't "own" the wireless access points / routers.  It appears that's an issue for you but I don't know how to suggest a solution for that kind of situation.  It would be very organization specific.
- You want to know which device is involved.  You need to be on the same subnet to start getting at this objective.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40427165
You need to be tracking NAT translations to be able to find out which device did what.  For that you'll need to be logging every single connection at your proxy or firewall.  That is the only way you'll be able to get the info you require to determine who did what, but that may or may not actually directly reveal which device or user was the offender.

NAT tracking is one step, then device login and DHCP lease binding is another.  Device login tracking should allow you to see which MAC a user logged in from (if you use RADIUS) and the DHCP lease database will then reveal which MAC got which IP.  Tie that in with the NAT translation and you can match it all up.
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 100 total points
ID: 40427178
I do not see why you cannot simply disable wireless you do not need (ISP) and secure the other. Then NO unauthorized devices get in. Works GREAT for me.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40427224
@John - sometimes legitimate users do illegitimate things - even when they don't necessarily know about it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 90

Expert Comment

by:John Hurst
ID: 40427233
True EXCEPT legitimate users are not Unauthorized users which (as I understand it) was the initial purpose of this thread.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40427336
No, the purpose of the thread was to determine which user was the culprit, legitimite or not.  It's completely feasible that a legit user was to blame.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40427346
I merely interpreted the use of unauthorized access as it was written.

However I have unsubscribed as I think differently here.

Cheers ;)
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40427426
The letter received by the author says:

I am sorry to have to send you this.  We received a copyright infringement
notice of pornography coming from an IP address that is assigned to the <xxx>
office.  I have confirmed that this is an IP address that we assigned to your
company and it terminates at 6161 <address>.  It was reported at
around noon yesterday, I just received the complaint this afternoon.

That's something that someone did via the public IP which was assigned to the internet connection in question.  We need to help locate the user that did this.  As we don't yet know which user did this we don't know if it was done by a legitimate user or not.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40427433
Thanks for all the responses!

fmarshall: > This appears to be quite confused. ... Apparently the ISP has identified which of the 3 was involved.  Is that correct?  If so, we are down to ONE public IP.  Is that correct?
> "I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets"
> This is confusing because you don't qualify them as public or private.  Thus, it's hard to interpret the meaning.  Please clarify.

Yes, it is quite confused. The ISP manages all Internet connections in the building. Yes, the ISP has its own subnet from Time-Warner. When I said that "there are no subnets" I meant for the tenants. Our 3 IP addresses are non-consecutive and are assigned by the ISP from his building pool of available public IPs. To anwser your last question (above), most tenants simply get a DHCP address from the Cisco switch/router in the building. If a tenant requests a public IP, that is assigned to the tenant. So, the tenant IPs are a mix of public and private. We have requested 3 IPs that I know of and no, the IP in question is not one of those 3. However, the ISP believes it is assigned to us. If so, we don't use it and as far as I know it is not accessible from our office, although it might be from the building-wide LAN cable coming into the office, but that routes into a router/switch set to one of the assigned public IPs. None of our servers uses the "bad" IP.

> The ISP gave you the public IP, right?  The ISP did not give you the private IP, right?  Please answer these questions.

Sorry, but not sure what you're asking here. Yes, we got our public IPs from the ISP. The offending IP, 64.128.165.39, is also public and nmap'pable from anywhere. Don't know to what you are referring with "private IP".
> "I can get MAC and SSID from `iwlist wlan0 scan`. I'm trying to connect these. So far, it appears that this is not doable unless the device is part of the probing computer's subnet -- which is not the case."

> If you mean that using arp -a, nbtstat -a [ipaddress] and so forth will only work if you're connected to the offending private subnet then that's correct.  If you want to learn about a network with tools like this, you have to be connected to the network.  Other networks are just foreign to the process.

Yes, that's what I thought. Since that IP is not on "our" subnet, I can't get MAC information about it. An nmap from the outside shows ports 22, 82, 2000 and 8291 open and the OS guesses show:
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Linux 3.0 - 3.9 (93%), Linux 2.6.32 - 3.2 (93%), Linux 2.6.38 - 3.0 (92%), Linux 3.6 (92%), Netgear DG834G WAP or Western Digital WD TV media player (92%), Linux 3.2 (91%), Linux 3.1 (91%), OpenWrt 12.09-rc1 Attitude Adjustment (Linux 3.3 - 3.7) (91%), Android 4.0.3 - 4.0.4 (Linux 3.0) (90%)

Open in new window

Netgear DG834G WAP is one guess and port 2000 is listed as "bandwidth-test MikroTik bandwidth-test server". MicroTik is also a router and I know the ISP uses port 82 as the external engineering port to the MikroTic admin page. I get a similar port list on the MikroTik that *is* attached to one of our IP and a similar OS list, so I'm guessing the IP is connected to a MikroTik router somewhere.

> If you don't know the private IP address of the "someone" then how do you know it's wireless?  There may be important information in the answer.

You're right. I don't know that it's wireless. I was guessing since there are 2 wireless access points requested by us for building tenant use (we own the building) and these could be "assigned" to us. But, I suppose an existing tenant could have plugged into a wall outlet and accessed that IP.

> "The ISP is assuming that someone physically inside our office connected with e.g. a laptop. "
> I see nothing in the ISP's message that suggests this.  How would they even be able to venture a guess?

He wrote in the posted message, "Please let us know if you need help tracking it down.  Given that we have never seen this before, It is more than likely a temporary computer (Laptop) that someone may have attached to your network." And later, "A scan and inspection of your internal network devices for Bit Torrent software would be a good place to start if you want to try to look for it." This does suggest to me that he is assuming an origination inside our office. "How would they even be able to venture a guess"? Well, that's the question and the reason for this post. I don't think they can venture such a guess.

> OK.  So there are multiple subnets on VLANs no doubt.  The scheme for associating these various subnets/VLANs to particular public IP addresses is unclear.  

Yes, quite unclear.

> The message from the ISP seems to not have anything to do with the "office LAN and/or the office server.

but - see my quote of the ISP opinion above wherein he suggest it may have originated with a vendor's laptop inside the office LAN.

craigbeck: > You need to be tracking NAT translations to be able to find out which device did what.

But, we actually don't have anything connected to this IP or any upstream routers to which it may be connected. The ISP should be able to do that.

John Hurst: > I do not see why you cannot simply disable wireless you do not need (ISP) and secure the other. Then NO unauthorized devices get in. Works GREAT for me.

That is my future "prevention" plan, but since we own the building, and since there is a public, unsecured wireless for the tenants, there are lease/contract issues to be investigated to see if such a service is explicitly provided in the tenant's leases. If not, it's gone!

> I merely interpreted the use of unauthorized access as it was written.

craigbeck is correct. It may have been a legitimate user (building tenant) that performed an unauthorized use by downloading a copyrighted film. Or, it could have been an illegitimate person in the parking lot stealing the unsecure wireless connection.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40427494
Thanks for the comprehensive answers!

The normal thing is for the ISP to assign you a "block" of public IP addresses.  The ones you *actually use* may not be contiguous but the entire block would be.  In reality it's a small subnet of maybe 8 or 16 addresses.  There will be the usual network address used up and the usual broadcast address used up so they aren't usable otherwise.  This leaves one with 6 or 14 addresses in the block.  So, when the ISP says "it's one of your addresses", I'll bet that's it.
Once the block is assigned to you, those addresses are routed by the ISP to and from your location.
So: all you have to do is hook up a device with one of those addresses to your internet portal / gateway.

So, while you may not be using an address in "your" block, they remain available.  But I believe that someone has to be on site to make that work.  Much of that detail is up to the ISP but I can't imagine them doing it otherwise.

Here is how we do it:  We have an internet interface device (in our case a simple router) with no NAT.  One side has a public IP address assigned by the ISP.  The other side has a public IP address which is the lowest in our block.
So, if our block is 222.333.222.0/28 then we have 222.333.222.0 through 222.333.222.8 with network and broadcast.   So, the router, on the inside, has 222.333.222.1 and we have 222.333.222.2 through 222.333.222.6 available whether we use them or not.  So, with 64.128.165.39, I might guess that your addresses fall between:
64.128.165.33 to .38 or .46.  Might that be the case?
The router LAN side is connected to a switch that I call the "internet switch" providing access to the router by multiple devices. As long as a device has an IP address in the block, I expect it to work (and it does).
So , it sounds like someone was able to light up one of your unused IP addresses and that seems it would be in the switch room.

Just a theory..... but, if true, it seems to narrow down the possibilities.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40427503
How do you connect your LAN to the ISP?
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40427523
Another thought, if some of those public IP addresses are being used by others then they have access to that "internet switch" that I mentioned .. because the cable they use is connected.  So anyone with such a cable could switch in another device and use one of "your" IP addresses.  And, that "device" could be a laptop or anything.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40427811
I doubt that @fmarshall.  The ISP will likely be doing NAT overload based on source subnet so unless a wired client can jump onto the same segment/VLAN it's unlikely.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40428924
craigbeck:  He did say that there are public IP addresses assigned to some tenants.  That implies direct access to the public IP block and no NAT.  
Turn the argument around:
"It's unlikely that a wired client can connect to the "internet switch".  Therefore, that's a good place to look for connections IF the ISP saw a normally unused public IP address being used.  The possibilities are greatly reduced."
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 200 total points
ID: 40428976
Of course, it may be as you say, but that's usually unlikely as the ISP probably won't actually be a registered ISP but more of a reseller.  The 'ISP' is using a Mikrotik router, so it's not an enterprise-class setup to start with, therefore we can guess that it's not a proper ISP setup.  In my experience of multi-tenant installations where a 'company' rather than an ISP leases connections there will nearly always be a device which assigns a 1:1 NAT at the edge.  This will then use private addressing to connect the tenants' kit to the edge router.  The purpose of this is multi-faceted and if it's not like that it's a huge legal minefield.  You shouldn't just pass a publicly-routeable IP to another entity without first covering your own...

I see your point though, fmarshall, and it is entirely possible that real addresses are used throughout.  Perhaps jmarkfoley could clarify what device is used to separate his LAN from the other tenants, and how it's configured?  Either way though, there's NAT at either the ISP router or jmarkfoley's (or both) :-)
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40450523
> craigbeck ... it is entirely possible that real addresses are used throughout.  Perhaps jmarkfoley could clarify what device is used to separate his LAN from the other tenants, and how it's configured?

Yes, real addresses are used throughout. As far as I can tell, nothing is used to separate my LAN from other tenants except for our MicroTik router/firewall.

In any case, I think I have a conclusion to the mystery.

I did a traceroute from my home computer to the office mail server:

TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   45.64 ms cpe-76-181-64-1.columbus.res.rr.com (76.181.64.1)
2   8.81 ms  CPE-69-23-8-205.new.res.rr.com (69.23.8.205)
3   11.91 ms 24.33.160.58
4   12.63 ms tge9-2.ftpfoh0302h.midwest.rr.com (24.33.161.207)
5   10.62 ms CPE-69-23-10-166.new.res.rr.com (69.23.10.166)
6   25.73 ms host-70-34-190-114.host.ussignalcom.net (70.34.190.114)
7   27.07 ms 69-58-113-2.brescobroadband.com (69.58.113.2)
8   29.45 ms 64-128-165-39.brescobroadband.com (64.128.165.39)
9   29.90 ms mail.ohprs.org (64.129.23.80)

Open in new window


You will notice that the "offending" IP is at hop 8. Our public IP mail server (actually MicroTik router) is at hop 9. I did a traceroute from the office mail server and office web server to my home IP. The first hop after leaving the office hosts was 64.128.165.39. I've checked some mail headers received in the office going back 4 years. Many have this IP as the last hop before hand-off to our mail server.

This is not one of our hosts. This is clearly and up-stream server/router for this building and certainly other tenants' computers route through this server as well. Our ISP has not pursued this issue any further despite prodding by us to investigate further. I think he realized it was one of his own boxes and is quietly dropping the matter. Obviously, anyone in the building could have downloaded from anywhere via this host!

While our ISP has good people working for him, he's a bit of a dork and is often wrong on such things. I think this is a non-issue in the end. We will be changing ISP soon.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40450551
Thanks for all the feedback!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now