Packet Sniffing Help (TCP/IP Related Q)

I recently started playing with some packet sniffing software. Ive noticed that some machines are talking to an address that does not exist on the network.

The packets are going to 192.168.7.255, when I Ping, it responds, yet there shouldnt be a 7.X on the network.

My question is, are the packets trying to go to a 192.168.7.255 network or is this actualy a machine ??

BTW: My local network addressing is 192.168.2.x

Thanks

Just wanted to add, the data I am capturing from these packets seems a little strange:

"abcdefghijklmnopqrstuvwabcdefghi"

Any ideas ??

If you have a 255.255.255.x subnet mask you shouldn't be able to ping out of your 192.168.2.x network to a 192.168.7.x network.

Things to look for (other than computers) - do you have additional IP's assigned to any adapters, and do you have any leftover hosts file entries from previous network incarnations?

Doug,

I have a subnet mask of 255.255.248.0 and DG 0.1

At some point I did use a 7.x for temporary connections, but no server at any time had this addresing.

Heres what ive covered:

If I ping 192.168.7.255 I get a responce
If I do a tracert it responds in 10 ms /w no hops
When I setup a laptop with 7.255 with a sniffer it sniffs next to nothing while my machine is still picking up traffic destined to 7.255.
I checked on the other side (remote 8.x network through PPTP) no responce.

Before I get into any further details, I just tried(at home) to ping 192.168.1.255 (im 1.100) and I received a responce. Ive got 2 other machines and they dont have the address. So I guess now I have two questions:

1. When you ping x.x.x.255 (sharing first 2 octets) are you supposed to receive a responce ?
2. Is it possible that I have an intruder on the 2.x net ?

I'll check the hosts files, but I doubt theres anything with a 7.x network in there.

Your comments and suggestions are greatly appreciated,

Cheers

Your subnet mask does put your .2.x and .7.x addresses in the same subnet. I believe the .255 IP address is the broadcast address that is picked up by any adapter in the network. Maybe you are seeing normal results if the last octet is 255. Someone with more detailed tcp knowledge will have to pick up from here

hehe ok break this into binary and see what happens

ll000000.l0l0l000.00000 lll. llllllll

255.255.248.0 with all host used in broadcast would be
192.168.7.255 so actualy your network address is not 192.168.2.X but actualy 192.168.0.0

Doug G was very close to the answer...

the last 3 bits of the third octet starts the hosts portion.
This should make sense to anyone who knows IP. all the hosts are ones. I put a space between the network and hosts. and yes when you ping a broadcast address you will get responses back actualy everything on the network will reply and can be used in DOS attack which is why some people use no directed broadcasts on router interfaces. This is a broadcast and if you examin the packet it will most likely be ARP.

juniperr, Doug

Thanks for the help, explains alot!

Now, when I ping, is it normal for the packets to contain
"abcdefghijklmnopqrstuvwabcdefghi"

Do you know of a website or a book that I could pickup that goes into more detail about packet information ?

Yeah, the alphabet is normal data for a ping packet. It's basically just filling the data portion of the packet, nothing more. Ping actually looks for certain fields in the header of the packet, not the actual data.


Later ~ Dave