PIX log - need help tracking down a device on the network

tiamat - that is why this seems strange to me. I've seen plenty of activity from source addresses with that IP range but in this circumstance the destination address is 169.254.x.x and the source address is a seemingly spoofed address.

The 200.0.0.0 network is registered to the Latin American and Caribbean IP address Regional Registry and I'm located in Canada, not to mention a legitimate outside address would never appear as an inside source address on this log. At least it shouldn't...

i didn't say it wasn't strange, just letting you know where that 169.254 address was most likely coming from. if you've got access, get on a router, check the arp tables for the mac address of those 200.x.x.x addresses and start tracing back the hops until you get to the offending machine. who knows, it could be someone with a laptop that was last using wireless at their home. perhaps they have two nics and are dual-homing. who knows.

are there any other backend or vpn connections with other sites that may be using that 200 address range? perhaps routing got jacked up somewhere.

I tracked down a document on the web today at www.cymru.com/Documents/tracking-spoofed.html which is exactly what I was looking for. To summarize the steps in the article (and keep in mind this only works on Cisco equipment):

- Go into router and type 'show ip cache flow' and that will list the source and destination IPs of every packet 'flowing' through the router. It also lists the interface from whence it came.

- Now type 'show ip cef <interface>' and that will list all the IPs connected to that interface. In my case the interface was a VLAN and it listed about 200 IPs from that VLAN!

Anyway, while this is far from perfect it helps narrow down the search immensely, and from here I can use a packet sniffer on the specific VLAN segment to find the guilty device.

Interesting outcome, do let us know of your findings !