I have about 15 computers on a local network behind simple TP-LINK TL-WR340G router. Everything works fine and the router does its job.
Recently we were informed that port scanning is being performed from inside of our network.
How can I detect which computer is doing port scanning?
I'm using Win XP and i'm Linux literate. So simple step-by-step instructions would be great.
Additional information:
- TL-WR340G is a very basic router - I did not find any useful logs.
- The network is wireless.
Additional information 2010-07-06:
I was able to burn backtrack-linux. My notebook is SL300 with Intel 5100. Running Wireshark on wlan0 shows only traffic to/from my computer and broadcasts. Same with other tools. I put my card on monitor mode with some airmon-ng script. I received some control packages on mon0 after that. I was able to decrypt it with WEP key with Wireshark, but I was not able to interpret it as IP for further analysis. I'm not sure if I received full traffic or only my notebook related.
Is it possible to sniff all wifi traffic and convert it to IP for further analysis?
This is a bit of a crazy idea and it would involve some network down time but it sounds like your options are limited by your cheap gateway, with no way to see what's being NAT'd.
Change the IP address of your gateway to something else, then disable DHCP to prevent any machines finding out new gateway address. Boot-up a machine running ethereal/wireshark taking over the old IP address of your gateway.
The offending machine should come up like christmas lights, now that the machine doing the packet sniffing IS the gateway!
You should check NAT log of your router so that if someone from the outside world give you source ports and time of the port scan you can check on your router logs to find the corresponding inside computer.
If your router can't keep NAT log you probably want to buy a new one because looking at logs is really the only way to have a 100% good result
You could use wireshark to monitor incoming network packets, and look for abnormal behavior (ARP "who has" type of requests - only dns servers should be doing those a lot).
Same thing can be done with tcpdump:
Imagine the scanning is going on a continous rate:
On the other hand, if there's only scanning on certain periods, you could install snort and wait for the 'port scanning' event.
Except for etherape, I think that all these tools run on Windows. If you don't want to mess with installing them, you could try a Linux security liveCD like backtrack.
In any case, remember to implement outward rules on the router to known used ports (e.g., 80, 443, etc.) to limit the scans.
From earlier experience I used to have software firewalls that warned my that other computers were portscanning.
I have also checked the log of my filezilla ftp server which gave me the IP from every computer that scanned me.
Have you checked the logs on tl-wr340G router?
You can plug an IDS like Snort on your switch monitoring port if any. I think a little googling will give you preconfigured virtual machines with Snort and Base installed.