[ previous ] [ next ] [ threads ]
 
 From:  Andrew Harvey <pbook at bagheera dot id dot au>
 To:  sai <sonicsai at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] tracking down ip
 Date:  Fri, 27 Jan 2006 00:56:09 +1100 
On 27/01/2006, at 12:25 AM, sai wrote:

> I have
> 10:16:00.273735 rl0 @0:10 b 169.254.15.77,138 -> 169.254.255.255,138
> PR udp len 20 236 IN
>
> showing up on the logs.
>
> Now rl0 is my LAN and the ip addresses are 192.168.10.1/24 so this
> shouldn't be coming from the LAN.
> There is nothing with 169..x.x.x in the arp tables. Is this packet
> from the LAN or what? If it is on my LAN then how do I track down
> which computer is doing this using m0n0?
>
> sai

This is an auto-configuration address, so yes it would most likely be  
a LAN address.

Port 138 is a part of the original NetBIOS trio, so more than likely  
it's a lost windows box.

Andrew