ski

The other day, a few friends and I were in the computer lab in one of the dorms. There are 2 cameras perched in the corners of the lab, and it's a little known fact that you can view them live HERE. We noticed an Asian guy going around to almost every computer around us -- he'd be on it for a minute, then switch to another one. Something was up.

Then my friend received a netsend error message saying "You have been trying to access violated material, please sign off this computer" and messages like that (varied almost each time). She was starting to get peeved, so it came to me that maybe this guy had been checking the IP's all around us so they could netsend these messages. Low and behold, I went around to a few computers and I was able to guess my friend's computer's IP, so as a test, I sent "You have been viewing too much pornography, please restart your system." and she flipped out! Haha, well, it was fun until she hit me for that *oww* but I thought I was onto these guys. Their computer name was MONITOR1.

Then another guy came in and posed as an administrator. The Asian guy came in too and they claimed that the computer had been monitored doing some illegal activity. All in all, they were Business Info Tech majors with too much time on their hands!!

What I'm looking for is a way to determine the sender's IP of a netsend message. If this ever happens again, I can locate their room and pay them a little visit to get them to stop

Is it possible to trace their IP? And how would you do it?

smurphy

Try this. Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

http://www.ethereal.com/

Cubsfan

Someone correct me if I'm wrong, but you could also use ZoneAlarm I believe. That should stop it, and tell you what IP it's coming from.

ski

I should mention that installing any software on the lab computers is forbidden... I can download things like VNC viewer though, just one file small apps...

I was curious if you could do something from command prompt that would tell you the IP's you're connected to?

Cubsfan

netstat?

ski

Hmmm, I tried that, and I was playing around with it -- after about 10 seconds of actively listing adresses, it stops goes back to the command line. I'll look it up somewhere, but thanks!

smurphy

I believe that you need something to watch port 139. If you block this port then you will not see responses from the Windows network though everything else should be fine. The program I mentioned above can do much more in depth logging and I think runs as a service so they will not see it.

Cheers,
Scott Murphy

Eugene

Sounds about right to me, though I prefer Tiny, since to me it seems to be simpler and requires less overhead. They seem to do the same thing, at least to me... anyone know the real differences?

revil

hehe, that's great. if you fall for that... i think you deserve it.