如何从受感染的 PC 调试本地网络

如何从受感染的 PC 调试本地网络

我想帮助我爸爸调试一个有一点不寻常问题的本地网络。

有无线网络,7 台 PC 连接到一个路由器,还有 3 部智能手机,用于获取基本日志、统计数据等。

当某台电脑根据其 MAC 地址被列入网络黑名单时,它运行正常,但当该电脑被允许连接时,网络就会变得很慢。加载网站需要很长时间,但当浏览器开始显示内容时,速度会变快,或者 YouTube 加载需要 8 秒,但之后就没问题了。

看起来像是 DNS 问题(但我不是专家)。我能想到几个选项:

  • 网卡与路由器通信时出现固件问题
  • PC 有恶意软件,例如向多个 IP 发送垃圾邮件,堵塞 DNS
  • 某PC用户滥用网络,进行大量P2P等活动。

我认为第一种选择最有可能。还有其他想法吗?我该如何实施它们?

编辑:

我使用 wireshark 跟踪 Firefox 获取 yahoo.com 时的数据包。下载该网站需要 18 秒以上

    No.     Time        Source                Destination           Protocol Length Info
          1 0.000000    10.0.0.10             10.0.0.1              TCP      54     58144 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

    Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
    Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
    Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
    Transmission Control Protocol, Src Port: 58144 (58144), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

    No.     Time        Source                Destination           Protocol Length Info
          2 0.062407    10.0.0.10             10.0.0.1              TCP      54     58146 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

    Frame 2: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
    Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
    Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
    Transmission Control Protocol, Src Port: 58146 (58146), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

    No.     Time        Source                Destination           Protocol Length Info
          3 2.548452    10.0.0.10             myISPDNS        DNS      69     Standard query A yahoo.com

    Frame 3: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
    Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)


No.     Time        Source                Destination           Protocol Length Info
      4 2.743118    209.85.148.18         10.0.0.10             TLSv1    106    Application Data

Frame 4: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Ethernet II, Src: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3), Dst: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a)
Internet Protocol Version 4, Src: 209.85.148.18 (209.85.148.18), Dst: 10.0.0.10 (10.0.0.10)
Transmission Control Protocol, Src Port: https (443), Dst Port: 58034 (58034), Seq: 1, Ack: 1, Len: 52
Secure Sockets Layer

No.     Time        Source                Destination           Protocol Length Info
      5 2.824148    fe80::18f6:e2b8:a0d3:16f2 ff02::c               SSDP     208    M-SEARCH * HTTP/1.1 

Frame 5: 208 bytes on wire (1664 bits), 208 bytes captured (1664 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: IPv6mcast_00:00:00:0c (33:33:00:00:00:0c)
Internet Protocol Version 6, Src: fe80::18f6:e2b8:a0d3:16f2 (fe80::18f6:e2b8:a0d3:16f2), Dst: ff02::c (ff02::c)
User Datagram Protocol, Src Port: 62835 (62835), Dst Port: ssdp (1900)
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Length Info
      6 2.963981    10.0.0.10             209.85.148.18         TCP      54     58034 > https [ACK] Seq=1 Ack=53 Win=3965 Len=0

Frame 6: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 209.85.148.18 (209.85.148.18)
Transmission Control Protocol, Src Port: 58034 (58034), Dst Port: https (443), Seq: 1, Ack: 53, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      7 3.556860    10.0.0.10             8.8.8.8               DNS      69     Standard query A yahoo.com

Frame 7: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 8.8.8.8 (8.8.8.8)
User Datagram Protocol, Src Port: 53037 (53037), Dst Port: domain (53)
Domain Name System (query)

No.     Time        Source                Destination           Protocol Length Info
      8 4.071413    10.0.0.10             10.0.0.1              TCP      54     58147 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 8: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
Transmission Control Protocol, Src Port: 58147 (58147), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      9 4.149439    10.0.0.10             10.0.0.1              TCP      54     58149 > icslap [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 9: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 10.0.0.1 (10.0.0.1)
Transmission Control Protocol, Src Port: 58149 (58149), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     10 4.570823    10.0.0.10             194.204.159.1         DNS      69     Standard query A yahoo.com

Frame 10: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 194.204.159.1 (194.204.159.1)
User Datagram Protocol, Src Port: 53037 (53037), Dst Port: domain (53)
Domain Name System (query)

No.     Time        Source                Destination           Protocol Length Info
     11 4.600193    194.204.159.1         10.0.0.10             DNS      371    Standard query response A 72.30.2.43 A 98.137.149.56 A 98.139.180.149 A 209.191.122.70

Frame 11: 371 bytes on wire (2968 bits), 371 bytes captured (2968 bits)
Ethernet II, Src: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3), Dst: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a)
Internet Protocol Version 4, Src: 194.204.159.1 (194.204.159.1), Dst: 10.0.0.10 (10.0.0.10)
User Datagram Protocol, Src Port: domain (53), Dst Port: 53037 (53037)
Domain Name System (response)

No.     Time        Source                Destination           Protocol Length Info
     12 4.602029    10.0.0.10             72.30.2.43            TCP      66     58150 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 12: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     13 4.602617    10.0.0.10             72.30.2.43            TCP      66     58151 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 13: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58151 (58151), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     14 5.834617    fe80::18f6:e2b8:a0d3:16f2 ff02::c               SSDP     208    M-SEARCH * HTTP/1.1 

Frame 14: 208 bytes on wire (1664 bits), 208 bytes captured (1664 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: IPv6mcast_00:00:00:0c (33:33:00:00:00:0c)
Internet Protocol Version 6, Src: fe80::18f6:e2b8:a0d3:16f2 (fe80::18f6:e2b8:a0d3:16f2), Dst: ff02::c (ff02::c)
User Datagram Protocol, Src Port: 62835 (62835), Dst Port: ssdp (1900)
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Length Info
     15 7.612683    10.0.0.10             72.30.2.43            TCP      66     58150 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 15: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     16 7.612978    10.0.0.10             72.30.2.43            TCP      66     58151 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 16: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58151 (58151), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     17 7.817470    72.30.2.43            10.0.0.10             TCP      66     http > 58150 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1440 SACK_PERM=1 WS=256

Frame 17: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3), Dst: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a)
Internet Protocol Version 4, Src: 72.30.2.43 (72.30.2.43), Dst: 10.0.0.10 (10.0.0.10)
Transmission Control Protocol, Src Port: http (80), Dst Port: 58150 (58150), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     18 7.817612    10.0.0.10             72.30.2.43            TCP      54     58150 > http [ACK] Seq=1 Ack=1 Win=17280 Len=0

Frame 18: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     19 7.818038    10.0.0.10             72.30.2.43            HTTP     417    GET / HTTP/1.1 

Frame 19: 417 bytes on wire (3336 bits), 417 bytes captured (3336 bits)
Ethernet II, Src: IntelCor_1a:d1:9a (74:e5:0b:1a:d1:9a), Dst: Cisco-Li_b1:26:f3 (00:14:bf:b1:26:f3)
Internet Protocol Version 4, Src: 10.0.0.10 (10.0.0.10), Dst: 72.30.2.43 (72.30.2.43)
Transmission Control Protocol, Src Port: 58150 (58150), Dst Port: http (80), Seq: 1, Ack: 1, Len: 363
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Length Info
     20 7.819959    72.30.2.43            10.0.0.10             TCP      66     http > 58151 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1440 SACK_PERM=1 WS=256

Frame 20: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)

我也无法追踪任何东西。

现在我不认为这是 DNS。IP 冲突,一个网络中有 2 个 DHCP?

基础设施如下:

我的电脑 <-- 本地 WIFI G cat。--> 路由器 <-- LAN --> 路由器 <-- WIFI G cat。临时连接(我猜)--> 路由器 <-- LAN --> ISP 路由器

基本上,有 2 个逻辑网络,一个在我家内部,另一个是我通向其他建筑物的软管。

编辑2

我把范围缩小到了这种情况:

当 TP 链路连接到与 ISP 调制解调器相连的 Airlink 时,一切都会变得很慢,它每秒发送数百帧(但不知道里面是什么)。我甚至无法更改 Airlink 中的配置 - 这需要很长时间。这似乎是 2 个固件冲突。

编辑3

我封禁了惹是生非者的 MAC,所以现在我是唯一活跃的 IP。我重启了 AP 和路由器,几分钟后一切正常,但我注意到速度仍然很慢。我做了速度测试,显示下载速度为 4MB(应该是 8MB),最高速度为 900Kb(应该是 2M),ping 速度显示为 -7ms。

当我 ping 我的 AP(WL-5460AP v2)时,一切正常(ping 4ms),但当我 ping 我的路由器时,请求超时。两者都是 Airlink,AP 通过 LAN 电缆直接连接到路由器,路由器连接到 ISP 调制解调器。

AP 日志:

0day 03:15:27 (none) kern.warn klogd: wlan0: A wireless client (troublemaker MAC) was rejected due to access control for 243 times in 5 minutes.

它正在尝试连接,这会降低网络速度吗?

答案1

为了在数据链路层、网络层和传输层进行故障排除,请安装嗅探器,例如wireshark。使用嗅探器,您可以监视流量并检查来自或发送到问题 PC 的所有内容。

嗅探器以混杂模式运行网卡,捕获未发送到运行嗅探器的计算机的数据包,从而可以在网络上的任何计算机上运行嗅探器。有一件事可能会阻止其他计算机读取问题 PC 发送或接收的无线数据包,那就是在 WPA 和 WPA2 下,加密密钥对于无线会话是唯一的;每个客户端都有自己的密钥,并且每次客户端连接到无线网络时密钥都会更改。

相关内容