I have observed a strange operation of a NAT router. There are two hosts
(A,B) connected at the private network of the router (R). I observe that the
NAT router "comments" a lot of packets with an ICMP redirect.
Example:
A=192.168.1.90
B=192.168.1.91
R=192.168.1.1
I choosed the corresonding identifier for the MAC column, so that usually
the MAC and the IP column are identical. The MAC field shows, who has really
sent the packet (see #52, #57).
pkt MAC IP Packet content
#50 A->B A->B TCP,SYN, port:1502->800, seq:4048334798
#51 R->A R->B ICMP Redirect, Type:5, Code:1, Gateway address: B
ICMP.IP identical with #50
ICMP.TCP: src:1502, dst:800, seq:4048334798
#52 R->B A->B TCP,SYN, port:1502->800, seq:4048334798
I think this is really strange. Why in hell should the NAT router 'comment'
any TCP communication when all packet are sent in the local network and
without any router?
What does the router tells A that it should use "B instead of B" (the same)
for the packet #50? Is this IP spoofing, what it does in packet #52?
Any ideas appreciated.
--
Andy
