Hi, I've been following some of the conversations about 192.168 networks, and tried some experimentation, and came up with a few questions:
1. I've tried the technique mentioned to ping the broadcast address, and then check arp -a (on Windows 2000 machines). This didn't seem to work. For example, I pinged 192.168.100.255. This should add all 192.168.100.x IPs into my arp cache, right? But my cable modem didn't show up in my arp cache after doing this. However, when I pinged my cable modem directly (192.168.100.1), it did show up in my arp cache. I tried this on a computer on the Internet (which I telneted to), with similar results. (Is it because Microsoft recognizes 192.168.100.255 as a valid IP?). When I do a traceroute to my cable modem (192.168.100.1), it is a direct hop. 2. However, with the computer on the Internet I mentioned (which I am telneting to), there were the following IPs: 192.168.1.0, 192.168.1.1, 192.168.1.2, 192.168.1.3, and 192.168.1.255 - which I found through doing an nmap scan. (pinging 192.168.1.255 produced no results in the arp table) Three are apparently Cisco routers (192.168.1.0 and 192.168.1.255 are both ping-able). When doing nmap, it shows 192.168.1.255 as remote, the others as local. However, when I do a traceroute on these supposedly local ones, it shows a number of hops out over the Internet, implying that they are not connected locally. Does this make sense? 3. I recently checked my firewall (Network ICE), and noticed an attack from this IP: 192.168.1.113. I tried to ping the attacking IP, but no response. The attack details were these: TCP OS Fingerprint, and then FTP Port Probe. Does this make any sense? How can someone use a supposedly local IP (192.168) to attack me? (Cable modem with 2 computers hooked up). So can someone clarify these things? IE, why does it look like the only way to really detect 192.168 devices on your network is to scan for them - in other words, the pinging of the broadcast address doesn't work (or am I pinging the wrong broadcast address?). Why do 192.168 devices, which are supposed to be local, have a number of (internet) hops between them when you ping them? And can anyone explain how someone could attack me via my cable modem, with a source address of 192.168.1.113 (which I was unable to ping or otherwise detect)? In general, why don't these 192.168 addresses show up in the routing table, netstat, etc.? Thanks, Jim --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------