Trace IP traffic to physical machine under Linux

Asked Nov 11 '14 at 12:48

Active Nov 11 '14 at 12:48

Viewed 165 times

In my firewall logs I recently see frequent connection attempts from a 10.0.0.0/8 network. This network is used by VirtualBox, but I can exclude that these packets come from those. No physical machine is intended to use this net.

I guess that the source is a linux machine 2 hops from the firewall, which could e.g. be anything in WiFi. Since I known some Android devices have trouble with DHCP, I suspect that they cause the issue. But knowing is better than guessing! Beyond that I'd not expect the AP to route 10.0.0.0/8 - but it wouldn't be the first time these boxes do something I do not expect.

Yes, I could try to hunt it down when I happen to see such access and following the traffic by tcpdump, arp, ... but

is there a linux tool to monitor network traffic and trace it back to the origin - probably returning the route as a list of MAC / IP?

asked Nov 11 '14 at 12:48

Lars Hanke

traceroute should do the trick – Broco Nov 11 '14 at 13:28
what kind of connection attempts? – Hrvoje Špoljar Nov 11 '14 at 13:32
@Hrvoje: http, https, imaps, dns - therefore it seems like some client – Lars Hanke Nov 11 '14 at 14:55
@Broco: traceroute sends the packets down the default route and my ISP doesn't route 10.0.0.0/8 of course. I don't do it either, at least no explicitly. This is why I ask for some more hacking solution. – Lars Hanke Nov 11 '14 at 14:58

Trace IP traffic to physical machine under Linux

0 Answers0