[ale] etherape + comcast + NAT'ed host

Mike Harrison meuon at geeklabs.com
Mon Sep 15 16:19:33 EDT 2008


On Mon, 15 Sep 2008, Jim Popovitch wrote:

> Can anyone explain why etherape (Debian), on a NAT'ed host connected
> to Comcast, would produce a graphic like this:
>
>    http://picasaweb.google.com/jimpop/Public#5246085619648929282
>
> I see IPs in there showing traffic between Korea and Japan :-)

There is something very VERY wrong if you got that behind a NAT'd
firewall. First I'd start, one at a time, unplugging machines
behind your NAT. if one (or more) of them make that go away, thats
your source and something is uisng that machine. See the blue line into 
-nothing- from LocalHost? That is very strange. As that the traffic is
green/IP_unknown or that white line (I can't read it) - Actual port 
numbers can be informative/clueful.

It's also possible your firewall itself is poking things through..
Depending on what else is going on with your systems, this smells bad.

Also take a look at what you get with iptraf and possibly even sniffit.
It will give you more clues, including source MAC addresses that can
tell you if this is coming from within, or from your router/nat box.







More information about the Ale mailing list