This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- Asset Radar and external/remote IPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-13-2021 06:25 AM
Hi all!
I've done the obligatory search and didn't find anything related, so here goes first post:
I have three assets that have shown up via Asset Radar, all apparently Google IPs and hostnames, e.g.:
- Hostname: sfo03s18-in-f14.1e100.net
- IP: 172.217.164.110
Lansweeper has categorized the "devices" as webservers (which I understand from googling can be a default/fallback label) with the model "gws" (lowercase), which I read as "Google WebServer." 😉
I don't understand a few things:
1. How were these "devices" detected? Were they remotely connected to my host machine? There is no evidence that they were connected to my router. So perhaps they are some kind of program or bot that's phoning home from my Lanserver host? If so, why does Asset Radar think it's an external IP if the traffic is originating from my local machine?
2. When I run a scan, Lansweeper "sees" the asset each time (there are three in fact). What does it mean that Lastseen is the latest scan, when there is no evidence of a remote connection to the external IP?
I've done quite a bit of diagnostic testing over the last few days to try and isolate the so-called "rogue devices." Ultimately, I disconnected all machines from my LAN, turned off the WAN, and did a scan from the host machine -- again each of the three external "devices" came up as seen during the scan.
I've also blocked all outbound traffic to the IPs (at the router) and confirmed by failed pings, and yet...wait for it...they all show up during an active scan. Odd. Perhaps I'm confused, but up to this point I'd understood that when a device/IP shows up with a current Lastseen timestamp, that means the device is currently connected (to the host) and can be...you know, scanned. No comprendo.
I'm having a lot of trouble understanding what this result means, in the context of (a) no external connection, (b) no other network device connection (other than the router, which has no WAN), and (c) all other devices and IPs that Lansweeper normally sees (when connected) are limited to my local network.
An option is to delete the Asset Radar entries and see if they show up again from an AR scan. However, I'd like to keep the data live and in the system as I continue to run diagnostics. Rather not delete or export and delete for diagnostic purposes.
Has anyone seen something similar? Any suggestions? I thought perhaps one of the 10,000 smart-home devices I own (many of them Google-related) might be running some kind of server, but running a scan with no WAN or other local devices connected rules that theory out, IIUC what active scanning and seeing/detecting a device actually means.
PS An INTERESTING footnote: I'm running Asuswrt-Merlin on the router and checked out the connection table -- turns out several of my local machines are connected to each of the remote IPs in question. Actually, all of my machines are connected to DOZENS of external IPs of course, so I'm not sure what that proves. However, it suggests that perhaps Asset Radar stumbled on to a few of those "innocent" conversations and miscategorized them? Just a hunch? Is it plausible?
I've done the obligatory search and didn't find anything related, so here goes first post:
I have three assets that have shown up via Asset Radar, all apparently Google IPs and hostnames, e.g.:
- Hostname: sfo03s18-in-f14.1e100.net
- IP: 172.217.164.110
Lansweeper has categorized the "devices" as webservers (which I understand from googling can be a default/fallback label) with the model "gws" (lowercase), which I read as "Google WebServer." 😉
I don't understand a few things:
1. How were these "devices" detected? Were they remotely connected to my host machine? There is no evidence that they were connected to my router. So perhaps they are some kind of program or bot that's phoning home from my Lanserver host? If so, why does Asset Radar think it's an external IP if the traffic is originating from my local machine?
2. When I run a scan, Lansweeper "sees" the asset each time (there are three in fact). What does it mean that Lastseen is the latest scan, when there is no evidence of a remote connection to the external IP?
I've done quite a bit of diagnostic testing over the last few days to try and isolate the so-called "rogue devices." Ultimately, I disconnected all machines from my LAN, turned off the WAN, and did a scan from the host machine -- again each of the three external "devices" came up as seen during the scan.
I've also blocked all outbound traffic to the IPs (at the router) and confirmed by failed pings, and yet...wait for it...they all show up during an active scan. Odd. Perhaps I'm confused, but up to this point I'd understood that when a device/IP shows up with a current Lastseen timestamp, that means the device is currently connected (to the host) and can be...you know, scanned. No comprendo.
I'm having a lot of trouble understanding what this result means, in the context of (a) no external connection, (b) no other network device connection (other than the router, which has no WAN), and (c) all other devices and IPs that Lansweeper normally sees (when connected) are limited to my local network.
An option is to delete the Asset Radar entries and see if they show up again from an AR scan. However, I'd like to keep the data live and in the system as I continue to run diagnostics. Rather not delete or export and delete for diagnostic purposes.
Has anyone seen something similar? Any suggestions? I thought perhaps one of the 10,000 smart-home devices I own (many of them Google-related) might be running some kind of server, but running a scan with no WAN or other local devices connected rules that theory out, IIUC what active scanning and seeing/detecting a device actually means.
PS An INTERESTING footnote: I'm running Asuswrt-Merlin on the router and checked out the connection table -- turns out several of my local machines are connected to each of the remote IPs in question. Actually, all of my machines are connected to DOZENS of external IPs of course, so I'm not sure what that proves. However, it suggests that perhaps Asset Radar stumbled on to a few of those "innocent" conversations and miscategorized them? Just a hunch? Is it plausible?
Labels:
- Labels:
-
General Discussion
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-26-2021 02:08 AM
I truly hate to be "the guy who answers his own question" (just seems naïve and tacky, plus you look kinda misbegotten), but since my question went unanswered and I have a new insight, I'll post it here for posterity.
To recap: my OP basically asked how a bunch of remote or external IPs could show up during an ordinary scan (or more accurately, a mix of "ordinary" and asset-radar scans). Not sure if I mentioned it before (I mean: WHO would read such a long post anyway?) but running whois on the IPs points to google-owned hostnames, which doesn't say much. In fact, it's trivially easy to buy some google server space and host naughtiness, so that's maybe a red flag in the end.
Anyhow...
Do any of you recognize the Chrome extension, The Great Suspender? Seems it got itself into quite a bit of controversy late last year:
https://github.com/greatsuspender/thegreatsuspender/issues/1263
After discovering that the extension seemed to be collecting browsing data (and maybe more) I of course uninstalled it months ago. However, I did leave open a number of suspended tabs, which perhaps continued to maintain a connection to the remote server that collected browsing data (see the github link below for a very detailed discussion of what might have been collected).
So my latest hunch is that THOSE are the IPs I'm seeing as scan results. In any case I've gone through and removed the offending URLs so all my tabs are pointing back to their original pages (and, presumably, not to some remote server or who-knows-what).
I'll wait a few days and if I see those locations no longer showing up as "active" Lanserver, I'll consider this issue closed.
To recap: my OP basically asked how a bunch of remote or external IPs could show up during an ordinary scan (or more accurately, a mix of "ordinary" and asset-radar scans). Not sure if I mentioned it before (I mean: WHO would read such a long post anyway?) but running whois on the IPs points to google-owned hostnames, which doesn't say much. In fact, it's trivially easy to buy some google server space and host naughtiness, so that's maybe a red flag in the end.
Anyhow...
Do any of you recognize the Chrome extension, The Great Suspender? Seems it got itself into quite a bit of controversy late last year:
https://github.com/greatsuspender/thegreatsuspender/issues/1263
After discovering that the extension seemed to be collecting browsing data (and maybe more) I of course uninstalled it months ago. However, I did leave open a number of suspended tabs, which perhaps continued to maintain a connection to the remote server that collected browsing data (see the github link below for a very detailed discussion of what might have been collected).
So my latest hunch is that THOSE are the IPs I'm seeing as scan results. In any case I've gone through and removed the offending URLs so all my tabs are pointing back to their original pages (and, presumably, not to some remote server or who-knows-what).
I'll wait a few days and if I see those locations no longer showing up as "active" Lanserver, I'll consider this issue closed.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- I have assets with Scanning Access Denied errors upon scanning, how to resolve this? in Technical Troubleshooting
- Understanding how cloud syncing works in General Discussions
- Introducing SIM - Software Inventory Manager - Developed by Licenseware & Powered by Lansweeper in General Discussions
- New Preview Capability - Host Your Lansweeper Site in the United States in Product Discussions
- Is there a way to protect an asset from accidental deletion from a user? in Technical Troubleshooting
