How to debug a local network from a PC that is infecting it

3

I want to help my dad to debug a local network with this slightly unusual issue.

There is wireless network with 7 PC connected to one router and 3 smartphones, as to get basic logs, statistics, etc.

When a particular PC is blacklisted from connecting to the network based on its MAC address, it works perfectly, but when that one is allowed to connect, the web is sluggish. It takes ages to load a website, but when the browser starts showing the content it gets faster or You Tube is loading for 8 seconds, but then it's OK.

It looks like DNS problem (yet I'm not an expert). I can think of a few options:

  • Firmware problem when the net card talks to the router
  • PC has malicious software, e.g., sending spam to many IPs clogs the DNS
  • A PC user abused the network with many P2P, etc.

I think that the 1st option is most likely. Any other ideas? How would I roll them out?

EDIT:

I used wireshark to track the packets while Firefox was fetching yahoo.com. It takes more than 18 seconds to download the website

    No.     Time        Source                Destination           Protocol Length Info
          1 0.000000    10.0.0.10             10.0.0.1              TCP      54     58144 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

    Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
    Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
    Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
    Transmission Control Protocol, Src Port: 58144 (58144), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

    No.     Time        Source                Destination           Protocol Length Info
          2 0.062407    10.0.0.10             10.0.0.1              TCP      54     58146 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

    Frame 2: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
    Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
    Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
    Transmission Control Protocol, Src Port: 58146 (58146), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

    No.     Time        Source                Destination           Protocol Length Info
          3 2.548452    10.0.0.10             myISPDNS        DNS      69     Standard query A yahoo.com

    Frame 3: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
    Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)


No.     Time        Source                Destination           Protocol Length Info
      4 2.743118    209.85.148.18         10.0.0.10             TLSv1    106    Application Data

Frame 4: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Ethernet II, Src: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3), Dst: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a)
Internet Protocol Version 4, Src: 209.85.148.18 (209.85.148.18), Dst: 10.0.0.10 (10.0.0.10)
Transmission Control Protocol, Src Port: https (443), Dst Port: 58034 (58034), Seq: 1, Ack: 1, Len: 52
Secure Sockets Layer

No.     Time        Source                Destination           Protocol Length Info
      5 2.824148    fe80::18f6:e2b8:a0d3:16f2 ff02::c               SSDP     208    M-SEARCH * HTTP/1.1 

Frame 5: 208 bytes on wire (1664 bits), 208 bytes captured (1664 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: IPv6mcast_00:00:00:0c (33:33:00:00:00:0c)
Internet Protocol Version 6, Src: fe80::18f6:e2b8:a0d3:16f2 (fe80::18f6:e2b8:a0d3:16f2), Dst: ff02::c (ff02::c)
User Datagram Protocol, Src Port: 62835 (62835), Dst Port: ssdp (1900)
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Length Info
      6 2.963981    10.0.0.10             209.85.148.18         TCP      54     58034 > https [ACK] Seq=1 Ack=53 Win=3965 Len=0

Frame 6: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 209.85.148.18 (209.85.148.18)
Transmission Control Protocol, Src Port: 58034 (58034), Dst Port: https (443), Seq: 1, Ack: 53, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      7 3.556860    10.0.0.10             8.8.8.8               DNS      69     Standard query A yahoo.com

Frame 7: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 8.8.8.8 (8.8.8.8)
User Datagram Protocol, Src Port: 53037 (53037), Dst Port: domain (53)
Domain Name System (query)

No.     Time        Source                Destination           Protocol Length Info
      8 4.071413    10.0.0.10             10.0.0.1              TCP      54     58147 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 8: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
Transmission Control Protocol, Src Port: 58147 (58147), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      9 4.149439    10.0.0.10             10.0.0.1              TCP      54     58149 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 9: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
Transmission Control Protocol, Src Port: 58149 (58149), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     10 4.570823    10.0.0.10             194.204.159.1         DNS      69     Standard query A yahoo.com

Frame 10: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 194.204.159.1 (194.204.159.1)
User Datagram Protocol, Src Port: 53037 (53037), Dst Port: domain (53)
Domain Name System (query)

No.     Time        Source                Destination           Protocol Length Info
     11 4.600193    194.204.159.1         10.0.0.10             DNS      371    Standard query response A 72.30.2.43 A 98.137.149.56 A 98.139.180.149 A 209.191.122.70

Frame 11: 371 bytes on wire (2968 bits), 371 bytes captured (2968 bits)
Ethernet II, Src: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3), Dst: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a)
Internet Protocol Version 4, Src: 194.204.159.1 (194.204.159.1), Dst: 10.0.0.10 (10.0.0.10)
User Datagram Protocol, Src Port: domain (53), Dst Port: 53037 (53037)
Domain Name System (response)

No.     Time        Source                Destination           Protocol Length Info
     12 4.602029    10.0.0.10             72.30.2.43            TCP      66     58150 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 12: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     13 4.602617    10.0.0.10             72.30.2.43            TCP      66     58151 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 13: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58151 (58151), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     14 5.834617    fe80::18f6:e2b8:a0d3:16f2 ff02::c               SSDP     208    M-SEARCH * HTTP/1.1 

Frame 14: 208 bytes on wire (1664 bits), 208 bytes captured (1664 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: IPv6mcast_00:00:00:0c (33:33:00:00:00:0c)
Internet Protocol Version 6, Src: fe80::18f6:e2b8:a0d3:16f2 (fe80::18f6:e2b8:a0d3:16f2), Dst: ff02::c (ff02::c)
User Datagram Protocol, Src Port: 62835 (62835), Dst Port: ssdp (1900)
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Length Info
     15 7.612683    10.0.0.10             72.30.2.43            TCP      66     58150 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 15: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     16 7.612978    10.0.0.10             72.30.2.43            TCP      66     58151 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 16: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58151 (58151), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     17 7.817470    72.30.2.43            10.0.0.10             TCP      66     http > 58150 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1440 SACK_PERM=1 WS=256

Frame 17: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3), Dst: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a)
Internet Protocol Version 4, Src: 72.30.2.43 (72.30.2.43), Dst: 10.0.0.10 (10.0.0.10)
Transmission Control Protocol, Src Port: http (80), Dst Port: 58150 (58150), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     18 7.817612    10.0.0.10             72.30.2.43            TCP      54     58150 > http [ACK] Seq=1 Ack=1 Win=17280 Len=0

Frame 18: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     19 7.818038    10.0.0.10             72.30.2.43            HTTP     417    GET / HTTP/1.1 

Frame 19: 417 bytes on wire (3336 bits), 417 bytes captured (3336 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 1, Ack: 1, Len: 363
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Length Info
     20 7.819959    72.30.2.43            10.0.0.10             TCP      66     http > 58151 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1440 SACK_PERM=1 WS=256

Frame 20: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)

Also I cannot tracert anything.

Right now I don't think that's DNS. IP conflict, 2 DHCP in one network?

The infrastructure look like this:

My PC <-- Local WIFI G cat. --> router <-- LAN --> router <-- WIFI G cat. connected ad hock (I guess) --> router <-- LAN --> ISP router

Basically, there are 2 logical network, inside my house and my hose to other building.

EDIT2

I've narrowed it to this situation:

When TP link connects to Airlink which is connected to ISP modem everything slows down a lot it sends hundreds frames per second (don't know what is inside though). I cannot even change config in Airlink - it takes ages. It seems like 2 firmware conflict.

EDIT3

I banned the troublemaker's MAC so now I am the only IP that is active. I rebooted AP and router and it was OK for a few minutes, but I noticed it is still slow. I did a speed test and it says 4MB download (should be 8) and up 900Kb (should be 2M) and it showed me ping... -7ms.

When I ping my AP(WL-5460AP v2) it is OK (ping 4ms) but when ping my router - request timed out. Both are Airlink and AP is directly connected with LAN cable to router and router is connected to ISP modem.

AP log :

0day 03:15:27 (none) kern.warn klogd: wlan0: A wireless client (troublemaker MAC) was rejected due to access control for 243 times in 5 minutes.

it is trying to connect, could that slow the network?

Lukasz Madon

Posted 2011-12-24T20:45:39.007

Reputation: 243

What exactly do you mean by "banned"? – outis – 2011-12-24T22:00:34.273

when I ban it on router. – Lukasz Madon – 2011-12-24T22:03:36.837

That's circular. What do you mean by "banning"? Are you adding the PC's MAC address to a blacklist filter? Are you blocking it via a firewall? Something else? – outis – 2011-12-24T22:05:20.203

Yes PC MAC is out – Lukasz Madon – 2011-12-24T22:06:39.373

Is the computer that's giving trouble connecting via wifi or lan? if wifi is it N or G capable? or is it only connecting at the B level? – Matt H – 2011-12-26T02:11:27.973

@Matt all are G connected. I added some details – Lukasz Madon – 2011-12-26T02:45:43.113

Answers

2

To troubleshoot at the data link, network and transport layers, install a sniffer such as wireshark. With a sniffer, you can monitor traffic and examine everything coming from or going to the problem PC.

Sniffers run the network card in promiscuous mode, capturing packets that aren't addressed to the computer running the sniffer, making it possible to run the sniffer on any of the computers on the network. The one thing that might prevent other computers from reading the wireless packets to/from the problem PC is that under WPA and WPA2, the encryption key is unique to the wireless session; each client gets its own key, and the key will change every time the client connects to the wireless network.

outis

Posted 2011-12-24T20:45:39.007

Reputation: 388

"on one of the computers" I though I would need to install it on the troublemaking PC? – Lukasz Madon – 2011-12-24T22:07:04.927

seems wiresharck doens't support native Windows WIFI http://www.wireshark.org/lists/wireshark-users/200912/msg00110.html

– Lukasz Madon – 2011-12-26T19:12:24.373

@Lukas: it will still work to troubleshoot at the network (IP) and transport (TCP/UDP) layers. – outis – 2011-12-26T21:39:50.460

Asked: 2011-12-24T20:45:39.007

Viewed: 2 555 times

Active: 2011-12-26T03:17:24.607