Partedmagic Connecting To A Comcast Address
i have been noticing a short connection burst in system monitor every time i connect to internet.
i got curious and decided to run wireshark to see what was happening.
seems that i am connecting to 96.195.141.178 with destination of
“PartedMagic”.
this seemed strange because i do not have PartedMagic installed, so i ran a ‘whois’ check.
this is what it showed:
IP Location United States United States Pittsburgh
Comcast Cable Communications Llc ASN United States AS7922 COMCAST-7922
– Comcast Cable Communications, Inc.,US
(registered Feb 14, 1997)
Resolve Host m001dd684d074.pitt1.pa.comcast.net Whois Server whois.arin.net IP Address 96.195.141.178
NetRange: 96.192.0.0 – 96.223.255.255
CIDR: 96.192.0.0/11
NetName: COMCAST-VOIP-4
NetHandle: NET-96-192-0-0-1
Parent: NET96 (NET-96-0-0-0-0)
NetType: Direct Allocation OriginAS:
Organization: Comcast Cable Communications, LLC (CCCS)
is this something for concern?
if so, what is/are best way/s to track this down?
any and all help / suggestions are much needed and appreciated.
thank you.
15 thoughts on - Partedmagic Connecting To A Comcast Address
Maybe. A bit odd since that’s assigned as Comcast VOIP and not a static customer block.
I’d dump the traffic with tcpdump or wireshark and analyze it. What type of traffic is it?
(transport layer protocol, as well as application protocol — ex: HTTP is TCP port 80)
Are there any DNS queries that happen prior to the spike? Use wireshark to capture them and that might give a clue.
You could also use nethogs to diagnose and determine what program is causing the spike. http://nethogs.sourceforge.net/
<>
i have no PartedMagic in /etc/services
my isp service is DSL with bellsouth.net over copper.
my neighbors to north and south of my home use comcast and they have wifi between them. wireless on my router is not enabled.
wireshark text file loaded at;
http://pastebin.com/rCU0CC10
<>
this is true.
i have a text file saved. see below
which “save as” form should be used to reload into wireshark without loss of information?
see below.
see below.
will have to install.
*BELOW*
i should have done this before posting. :-(
i loaded wireshark text file to:
http://pastebin.com/rCU0CC10
<>
my bad. :-(
to SilverT257 and Mark Mihollan,
thank you for responding. my “chemo brain” gets forgetful.
i am taking system offline after sending this and will run wireshark again to see if there is anything different.
thanks again.
some device on your network has the MAC address 00:0f:fe:8f:8f:23 which Wireshark is calling PartedMagic for unknown reasons. That MAC prefix apparently belongs to an obscure Chinese computer maker, G-Pro Computers. http://macaddress.webwat.ch/vendor/G-PRO_COMPUTER
the weblink given for G-Pro is wrong.
some random google searching suggests that they may be an OEM for Lite-On, do you have any network devices from Lite-On (I’m only familiar with Lite-On as a CD/DVD burner/reader brand).
oh. the ARP packet suggests that MAC address is 192.168.1.144
1.
No. Time Source Destination Protocol Length
Info
2.
3 1.137831000 PartedMagic Broadcast
ARP 42 Who has 192.168.1.254? Tell 192.168.1.144
3.
4.
Frame 3: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
on interface 0
5.
Ethernet II, Src: PartedMagic (00:0f:fe:8f:8f:23), Dst: Broadcast
(ff:ff:ff:ff:ff:ff)
6.
Address Resolution Protocol (request)
new paste at;
http://pastebin.com/rCU0CC10
hopeful this will give better info and answers.
thanks again to respondents.
John, thank you for replying.
see my new paste at;
http://pastebin.com/8vBxnUSf
interesting. where does one look to find assignment for MAC addresses?
no network devices from Lite-on.
~]$ lspci|grep net
00:19.0 Ethernet controller: Intel Corporation 82566DM-2 Gigabit Network Connection (rev 02)
~]$
same here.
that is how i see it.
is that 1.144 IP address in use by the machine you ran the lspci from?
I think his original intent was that perhaps it was a separate device are you running VMs on this host by chance?
since
[zep@nemesis ~]$ nslookup secure.informaction.com Server: 192.168.10.22
Address: 192.168.10.22#53
Non-authoritative answer:
Name: secure.informaction.com Address: 82.103.140.42
Name: secure.informaction.com Address: 82.103.140.40
Name: secure.informaction.com Address: 69.195.141.178
Name: secure.informaction.com Address: 69.195.141.179
and going to http://www.informaction.com lists off things like noscript and a few other browser add on sorts of things, I’d tend to think that you
[perhaps the plural ‘you’, meaning possibly some other individual]
installed one of their extensions [or some other piece of FOSS] and it’s doing a call home to check for updates or do some sort of comparison, like adblock’s blacklist.
no idea where the wonky name comes from.
again, wireshark is, for some unknown reason, calling that
00:0f:fe:8f:8f:23 MAC address “PartedMagic”, this MAC is associated with the IP 192.168.1.144
other than wireshark’s odd name for this host, I see nothing wrong here. Does in fact the system with that IP have that MAC ? if so, everything is normal, that system is apparently connecting to https://secure.informaction.com
somewhere. but i know not where.
http://www.whoami.it/home/ shows me to be;
adsl-184-41-28-86.mem.bellsouth.net for the hell of it, i pulled and reconnected DSL line, now, i am
adsl-184-41-28-44.mem.bellsouth.net
which is now confusing me more because the 1.144 address is in;
~]$ ifconfig eth0 Link encap:Ethernet HWaddr 00:0F:FE:8F:8F:23
inet addr:192.168.1.144 Bcast:192.168.1.255 \
Mask:255.255.255.0
inet6 addr: fe80::20f:feff:fe8f:8f23/64 Scope:Link
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
virbr0 Link encap:Ethernet HWaddr 52:54:00:B3:A7:95
inet addr:192.168.122.1 Bcast:192.168.122.255 \
Mask:255.255.255.0
[geo@boxen ~]$
so a question, in checking with a ‘whoami’ i got;
adsl-184-41-28-86.mem.bellsouth.net where is the 192.168.1.144 being produced when i am not in a VM.
looking in man ifconfig, nothing is given as to just what is shown.
no VM. this box connects straight to router, which connects straight to DSL/phone filter, which connects directly to drop line.
something/somebody is ‘hiding in the wood pile’ and it has me scratching my balding head even more bald.
Sounds like a typical NAT router setup to me. The router would have one public IP and uses a private subnet for your LAN side. The other end of an outbound connection sees the NATed public address.
your ROUTER gets the internet IP on its WAN side (184.41.28.86 or whatever), and your LAN uses 192.168.1.xxx, the system you ran ifconfig on there has 192.168.1.144. the router ‘translates’ your private LAN
addresses to the public internet address, this process is often called NAT (Network Address Translation), or Masquerade.
so. Wireshark, for unknown reasons, thinks your system is
‘PartedMagic’. I have no idea why.
so… ‘PartedMagic’ is a red herring. whats the ACTUAL problem here we’re trying to solve?
Possibly your system was installed or cloned using PartedMagic, and that left an entry in
/etc/ethers
mapping your default nic to the name ‘PartedMagic’?
K
Kahlil (Kal) Hodgson GPG: C9A02289
Head of Technology (m) +61 (0) 4 2573 0382
DealMax Pty Ltd
Suite 1416
401 Docklands Drive Docklands VIC 3008 Australia
“All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can’t get them together again, there must be a reason. By all means, do not use a hammer.” — IBM maintenance manual, 1925
Apologies for the previous top post :-( Forgot to trim the (…)