1

I have a setup with RouterB sitting behind RouterA. RouterA sets RouterB's IP address to a public static IP 108.x.y.z, which it has been given in a block of addresses by the ISP.

In RouterA's logs, I see this:

src=108.x.y.z dst=192.168.0.28 ipprot=17 sport=64881 dport=161 
Drop traffic to 192.168.0.0/16

The source is RouterB (or possibly one of the computers sitting behind it) and the destination is for an IP Address that doesn't exist, nor is it in fact even on the same subnet at the rest of the network sitting behind either router.

Is there something I can do to find the source of this traffic?

Update: more details

As suggested by blankabout I had a look in RouterB's logs. There is nothing but a bunch of stuff like this:

2012 Mar 15 08:44:33 [FVS336G] [wand] [LBFO] Restarting WAN2_
2012 Mar 15 08:45:36 [FVS336G] [wand] [LBFO] WAN1(UP), WAN2(UP)_
2012 Mar 15 08:46:37 [FVS336G] [wand] [LBFO] Restarting WAN1_

Regarding the comment from gravyface on the answer from blankabout: indeed the router was recently moved, so it could be that. How could I go about checking?

The router is a NETGEAR ProSafe VPN Firewall FVS336G if that helps any.

Sammy Larbi
  • 143
  • 5

1 Answers1

2

For what it is worth it is SNMP traffic, could you enable logs on RouterB and trace the traffic back from there?

EDIT:As the traffic is coming from 108.x.y.z that suggests it really is coming from the router rather than any host behind it. If these routers are in a production environment then just about the only thing you can do is check through the config for any SNMP traps, as suggested elsewhere. Even in a non-production environment you would have to do that in the end anyway.

blankabout
  • 1,004
  • 1
  • 9
  • 16
  • 1
    could be a default or previously-configured SNMP trap with that IP (192.168.0.28) that it's trying to send SNMP events to. – gravyface Mar 15 '12 at 13:41