Hi I really need some advice , my firewall is blocking the following 192.168.211.178 which is sending from within my network a udp packet. The address cannot be ping and is not registered in my DNS, running wireshark i only see a repeating udp packet from this address every 30 seconds. Also the UDP packet source port is 1111, the mac address is from tyancomp these are the only types of packets from this mac address or IP. I need advice to find thsi machine or possible virus, anybody else seen this type of behavior? thanks asked 09 Mar '13, 17:24 hoyt |
One Answer:
Usually, you'd track down the physical box by looking at the MAC address tables of your switches to see to which port the MAC you saw is connected to. If you find a port that has multiple MAC addresses you might need to go to the next switch that is connected to that port (if there is another switch; it could just be multiple virtual machine MAC addresses on one port as well). Unfortunately not all switches have this functionality, especially not the devices intended for use at home. answered 09 Mar '13, 17:30 Jasper ♦♦ |
Okay 40 switches will take time to go through,but can be done, but i still do not understand why the only packets associated with this MAC address are these UDP port 1111 packets a linux or windows box generates more than that usually.
It should be enough to start at the switch where you captured, and work yourself towards the MAC from there. No need to look at all 40 switches, at least it's highly unlikely.
As soon as you have found the box you can capture everything it does, and also (after having physical access to it) find out what process is using this UDP port, and for what.