I have about 15 computers on a local network behind simple TP-LINK TL-WR340G router. Everything works fine and the router does its job.
Recently we were informed that port scanning is being performed from inside of our network.
How can I detect which computer is doing port scanning?
I'm using Win XP and i'm Linux literate. So simple step-by-step instructions would be great.
Additional information:
- TL-WR340G is a very basic router – I did not find any useful logs.
- The network is wireless.
Additional information 2010-07-06:
I was able to burn backtrack-linux. My notebook is SL300 with Intel 5100. Running Wireshark on wlan0 shows only traffic to/from my computer and broadcasts. Same with other tools. I put my card on monitor mode with some airmon-ng script. I received some control packages on mon0 after that. I was able to decrypt it with WEP key with Wireshark, but I was not able to interpret it as IP for further analysis. I'm not sure if I received full traffic or only my notebook related.
Is it possible to sniff all wifi traffic and convert it to IP for further analysis?
Best Answer
This is a bit of a crazy idea and it would involve some network down time but it sounds like your options are limited by your cheap gateway, with no way to see what's being NAT'd.
Change the IP address of your gateway to something else, then disable DHCP to prevent any machines finding out new gateway address. Boot-up a machine running ethereal/wireshark taking over the old IP address of your gateway.
The offending machine should come up like christmas lights, now that the machine doing the packet sniffing IS the gateway!