Need help Find a local Virtual Machine thats sending packets?

Discussion in 'Cisco' started by Scott Townsend, Apr 12, 2007.

  1. I'm getting 1000's of log entries like the following:
    %PIX-3-305005: No translation group found for udp src
    inside-HBG:192.168.57.134(unresolved)/137 dst
    outside-HBG:192.168.255.255(unresolved)/137

    The only machines that use 192.168.x.x in our network are VMWare images.

    When I do a SH Arp, the 192.168.57.134 address is not in the list. I'm
    guessing its because its using the local host NIC's 10.1.x.x address.

    How can I track down this IP address to its source?

    Thanks,
    Scott<-
     
    Scott Townsend, Apr 12, 2007
    #1
    1. Advertisements

  2. Scott Townsend

    Trendkill Guest

    Its NATed, you won't be able to. As far as your router is concerned,
    the internal address doesn't exist. Unless you can get the vmhost to
    somehow make a request to a website or whatever that you can control
    and see which external address it resolves to, I think you are SOL.
     
    Trendkill, Apr 13, 2007
    #2
    1. Advertisements

  3. Then how is the PIX seeing the Broadcast Packet? What would the MAC Address
    Be?

    This is falling under the 'Love Of networking' guys situation...

    Time for going home.
     
    Scott Townsend, Apr 13, 2007
    #3
  4. Scott Townsend

    Trendkill Guest

    Technically I believe a broadcast is sent to all local network hosts,
    and only has its source MAC, not IP. For example, when a station
    broadcasts for an IP address, it sends a broadcast but has no IP,
    therefore it only has a source mac address. I wouldn't think the host
    server should forward a vm broadcast, but I know you can also
    configure vm hosts as dhcp clients, so maybe they did some creative
    things to internal server networking. In short, perhaps someone else
    can take a stab here as I'm not sure how your pix is seeing
    it........but your router will definitely not have a arp entry as it
    did not route the packet off of the 192 network, the server did.
    Therefore when it reaches the router, the packet should be sourced
    from the 10.x IP and MAC.
     
    Trendkill, Apr 13, 2007
    #4
  5. Yeah, I didn't look at any of the router ARP tables, jsut the PIX's

    sCOTT<-
     
    Scott Townsend, Apr 13, 2007
    #5
  6. Scott Townsend

    Trendkill Guest

    Another reason your server may be forwarding it out is the broadcast
    address itself. I thought that those boxes were 192.168.0.0/24
    addresses, and if your host machine sends a packet to 192.168.255.255,
    then the host must think it is in a /16, and therefore the server must
    be forwarding it to its default gateway. Either way something seems
    odd there..........
     
    Trendkill, Apr 13, 2007
    #6
  7. Scott Townsend

    Trendkill Guest

    Well check the router arp tables and maybe you just have a lost
    box....but if its a true vmhost, I think you won't see anything....but
    have known to be wrong from time to time. ;-)
     
    Trendkill, Apr 13, 2007
    #7
  8. Scott Townsend

    Brad Guest

    Technically I believe a broadcast is sent to all local network hosts,
    In an ARP request, which is a layer 2 broadcast, the requester does
    include its IP address in the ARP request. If you could sniff the
    traffic and see the ARP requests then you could see the requester's
    IP.
     
    Brad, Apr 13, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.