dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1291
falcon04
join:2005-03-03

falcon04

Member

Unusual Router Traffic

I've noticed some "interesting" traffic in my router log.

Remote IP 74.125.137.120

Remote name p5-vvipttempz3yi-yjro32jiljp42irg-630273-i1-v6exp3-v4.metric.g

Local IP 52.46.49.50

The IP's show some variation but the name is always similar, starts with "p5" and ends with "metric.g"

Neither of these IP's is my actual LAN or WAN address, and my router log shows no other local IP's other than my LAN or WAN exept for this. Usually only a few times daily.

Outgoing tcp always following outgoing to gstatic.com and google.com from LAN address.

Does this have something to do with Google's use of "the cloud" ?
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers

Member

74.125.137.120 resolves to yh-in-f120.1e100.net and is MarkMonitor owned by Google. Almost anything Google will make a connection to a .1e100.net domain on an infinite number of IP addresses and ports.

IF you are using Firefox > Tools > Options > Security > unchecking Block reported attack sites and Block reported web forgeries will tame it down. Firefox will make these connections to get a current list of attack and forgery sites.

The Google SSL search engine, YouTube, Google Maps and Google Earth all make .1e100.net connections. I am told the Google Tool Bar and Chrome also make these connections. Although this is untested probably anything Google makes these connections including Google Cloud and Google DNS if you are using them.

Google tracks everything but short of that these connection are likely benign. Wireshark would insure a more definitive answer but I am too lazy to run down all Google connections.

52.46.49.50 resolves to Dupont and I don't have a clue why that would show as your local IP. Nothing Google for that remote name.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to falcon04

MVM

to falcon04
Not sure where your router is getting that remote name; it isn't the reverse name on that IP address. As dsilvers See Profile states, '1e100.net' is a Google domain. As an aside, it has to do with the fact that 1.0x10¹°° can be written as 1e100; the mathematicians call this a, "Googol".

The other puzzle is the 52.46.49.50 reported as a local IP address. Seeing the actual, unedited log entry might be revealing.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to falcon04

MVM

to falcon04
Seconded... if you can please post said log of the traffic you're looking at.

Also, checking both IP address ranges with arin.net,

NetRange74.125.0.0 - 74.125.255.255
CIDR74.125.0.0/16
NameGOOGLE
 

NetRange52.0.0.0 - 52.255.255.255
CIDR52.0.0.0/8
NameDUPONT1
 

Regards
falcon04
join:2005-03-03

falcon04

Member

Firefox blocks unchecked ages ago.

"safebrowsing-" etc. was slowing everything down.

Here's the last instance from my WW log.

2013/01/04 13:58:06.76 O tcp 74.125.130.103 www.google.com 80 192.168.1.101 49205
2013/01/04 13:58:07.06 O tcp 74.125.140.120 ssl.gstatic.com 80 192.168.1.101 49206
2013/01/04 13:58:07.60 O tcp 50.63.243.230 ocsp.godaddy.com 80 192.168.1.101 49207
2013/01/04 13:58:11.35 O tcp 74.125.130.103 www.google.com 80 192.168.1.101 49210
2013/01/04 13:58:11.56 O tcp 74.125.140.94 id.google.com 80 192.168.1.101 49211
2013/01/04 13:58:17.66 O tcp 74.125.137.120 p5-vjbrh5n742oqe-evtxaylq3ixe2ham-430548-i1-v6exp3-ds.metric.g 80 52.46.49.50 49212

This started a few weeks ago - SAS and MWB find no funnies - and it only happens a few times daily ??
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to falcon04

MVM

to falcon04
Make / model of this device, falcon04?

My only question is what the "O" flag is for (if anything), but looks like it's autoresolving an IP address to a
hostname. Ignoring the "O," looks like it's all return traffic from port 80 / HTTP to your PC on a high order port,
which is normal and expected.

2013/01/04 13:58:17.66 O tcp 74.125.137.120 p5-vjbrh5n742oqe-evtxaylq3ixe2ham-430548-i1-v6exp3-ds.metric.g 80 52.46.49.50 49212
 

Couldn't say about this one... there any previous occurrences? Does it reoccur, and how often?

Short of running a continuous netstat on all your PCs on your LAN or running some sort of packet sniffer, you got me.

My 00000010bits.

Regards
falcon04
join:2005-03-03

falcon04

Member

"O" is outgoing - green flagged in WW for passed. Usually only 1 to 3 times daily - "metric.g" looks like a track of some sort. I'm fairly comfortable it's benign - or as benign as can be expected from Google

Juggernaut
Irreverent or irrelevant?
Premium Member
join:2006-09-05
Kelowna, BC

Juggernaut

Premium Member

Do you use a Host file at all? I wonder if that would eliminate some or all of those entries. Might be worth a shot.