Hello, thank you for your time.
I have recently noticed a strange occurence going on with inbound traffic.
The other day, I helped my friend set up his network. icmp ping was good. while sniffing, I first noticed inbound tcp traffic to me was not coming from my friend's IP address, but coming from my switch. (we used a simple udp tunnel to connect the LANs)
I tested it using GRC.com's shieldsup utility. My port tested closed, which was the proper setting for the test. The packet trace indicated a ton of https traffic during grc.com visit between me and grc.com, then two small syn and syn+ack packets in the middle, the syn of which was grc.com's test packet. The problem is, that syn packet said it came from my home switch IP, not a grc.com IP. My syn+ack response, the second packet, also had the router ip as the destination address, yet grc picked it up as a closed port indication. My question is, even though traffic seems to behave correctly for the most part, why is my network spy v2.0 seeing all inbound traffic as originating from my router, not the internet IP it did come from? (it used to indicate the internet host the traffic came from. i have not tried a second sniffer.)
The behavior confuses apps. using hamachi, when my friend logs in, hamachi indicates the tunnel is up on my router's ip, not his ip, a departure from previous behavior. I am using cox cable internet, which does block many typical service ports. I don't know if this is another way the isp found to hose up inbound traffic.