RE: strange network traffic

From: Chris Norris (chris.norris@cpnmedia.co.uk)
Date: 08/16/02


From: "Chris Norris" <chris.norris@cpnmedia.co.uk>
To: <security-basics@securityfocus.com>
Date: Fri, 16 Aug 2002 18:36:24 +0100

I sincerely recommend you do get a firewall. Just find a junk PC and put
linux on it if there is no budget for it, cost = nothing!

-----Original Message-----
From: C Boening [mailto:txfmfdoc@comcast.net]
Sent: 15 August 2002 22:41
To: security basics
Subject: strange network traffic

We are experiencing some network activity which has me baffled. I am
relatively new to network security so I hope I won't get flamed too bad
. Here's what's going on: About 2 months ago our sniffer (commview)
started capturing traffic from

192.168.0.2 as coming from our network. We have no such ip address. All
routers, switches, servers, annexes, printers , wireless,... have been
checked hands on. No such IP asigned to any of our devices. The packets
coming from this ip contain the nbstat command. They are sent to several
of our

servers only. Server responds with an answer to nbstat (the usual
stuff). 192 ip then sends traffic to several outside ip's, ie
doubleclick, uunet, and others. What could cause this traffic and where
could it possibly come from? Another sniffer, Capsa, shows 192 as
belonging to our intranet. We do not have a firewall (yes, I know, but
it's not up to me or my dept head), except for a couple which we run on
individual pc's . Purchasing a firewall at this time is not an option.
Can somebody help me out?