Port scanning question...

[brokencrow]

...it's a Linksys WRT54G, no NAT or ARP tables from what I can see. Just a DHCP table and a routing table. The DHCP table lists only the LAN's ip's and the MAC's, and the routing table gives me WAN ip's. I respectively disagree with you on ping times on the LAN. They're very indicative of how busy a particular machine is. Crude, but effective.

[RoadClosed]

That's cool. Test it sometime when it's quiet. Ping a machine doing nothing, then download a file on that machine and ping it again from your other box while the file is downloading. It all depends on your overall environment and bandwidth on the network, this side of the gateway. Peace.

[brokencrow]

...the most recent issue of 2600 has a piece entitled "Tracking Wireless Neighbors". It's written by Sam Nitzburg (www.iamsam.com) and chronicles his adventures with an interloper on his wireless network at home. He describes enabling the logs on his Linksys router, a feature I noted was disabled on the coffeehouse router. He was able to track ingoing and outgoing ip addresses and websites his visitors had accessed. He also utilized nmap and Nessus, but only mentions his machines and network. No mention of port scanning the intruder although if he scanned the full range of his LAN, he would've done just that.

[RoadClosed]

That's a good article. You should note that pinging a machine is tricky. There is NO way to isolate other traffic from his alone. You get a picture of the whole environment on whatever link you are measuring. That includes everyone. And a machine with a fast CPU downloading a large file will ping faster than a machine with a slow CPU running a few apps and downloading a small file. Or they may ping the same when the fast machine is eating all the bandwidth. I am thinking You really have to ping them from the router for a little more accuracy or use more sophistication to measure packet transfers. These are extremes but noteworthy.

[brokencrow]

...I stand corrected. I tested ping speeds on another network this a.m., a small peer-to-peer. Running Angry IP which will give me ping speeds, I got a baseline on another machine of "0 ms", then I started an OpenOffice download, which runs 65 mb's or so. Ran Angry IP again from my laptop during that download and it still read "0 ms". Sorry if I came off like a know-it-all. I just figured something was up when the 'problem' machines are running 35 ms and 80 ms speeds in contrast to the other machines that day which were in the 0-10 ms range. I'll have another look at that router and see what I can do from that. Really appreciate your perspective...thanks.

[brokencrow]

...enabled the logs on the router and am checking them now. You can pick up a lot of info this way. Whoever's on 114 has yahoo email. They must be paying for it because they're using an SMTP server. Looks like 111's downloading some music via gnutella from a computer on a RoadRunner network. 101 went to McAfee's website (good girl!). 114 also went to the local university's secure server, probably checking email. Ugh, this is more than I want to know.

You're never alone on the internet, even if the house is empty...

[RoadClosed]

See how much easier that is? You know in an instant who's who and what they are doing. Looks like you found the music man who is using gnutella. It's good to only focus on what you need and let the rest fade into obscurity. Road Runner uses a very detailed naming scheme, in most cased you can tell what state and which region they are in just by the host name.

[brokencrow]

...that was more work than the port scan method I was using. Talked to the big cheese from the youth ministry upstairs today and we'll go through the two computers on Friday. It's a given that someone's always downloading music at the coffeehouse. You see the kids in there all the time with their headphones on. I'm not sure that was the problem so much some uploading going on. I know there's some rogue software floating around upstairs because IMMEDIATELY upon filtering the two MAC addresses, our bandwidth was freed according to that highly-scientific method of observing the blinking indicator lights on the modem.

I used to have an office from which I shared my DSL connection to two other small offices. One night my bandwidth was slowed to 26k (that's slower than Ye Olde 56k Modem!) so I started unplugging cables from the router (there was no wireless there). When I unplugged the realtor down the hall, my bandwidth jumped to 600k (normal). Plugged it back in and after five minutes I was back down to 91k and dropping. Unplugged him again and I jumped back up to 600k. Left it that way then followed up with him the next day. He was running Kazaa as a server and leaving the computer on all night. I wouldn't be surprised if something like that was going on up there, or maybe a trojan/worm like Bagle or Netsky.

Thanks.