Security Basics mailing list archives
Interesting sniffer packet
From: JGrimshaw () ASAP com
Date: Wed, 29 Oct 2003 16:44:20 -0600
Hi All, Has anyone seen this? I am not sure what to make of it. The source address is 00:00:01:01:01:01 and the destination address is 00:00:FF:FF:FF:FF. The byte count is 504, and I'm getting about 50k per second of this on just about every vlan I have. Interestingly enough, my traffic has not been affected by it. The packet analysis suggests it's an 802.3 LLC packet and it has a mostly non-changing packet number of 2863311531. I captured traffic for an hour and 99% of these "fluff" packets were that packet number. I monitored port activity and there isn't anything that bursting at 50k for very long--anything with big amounts of traffic seem normal (like a router, file and print, etc). It's not causing a problem, but it is something that I none of us here have seen. Since it's on all vlans (and no ports are acting funny), I'm at a loss as to what could be generating it. Does anyone have any ideas? --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Possible Trojan. Gene (Oct 27)
- RE: Possible Trojan. Bob Beck (Oct 27)
- Re: Possible Trojan. Charles Funderburk (Oct 27)
- <Possible follow-ups>
- Re: Possible Trojan. H Carvey (Oct 28)
- Re: Possible Trojan. John T. Hoffoss (Oct 29)
- Interesting sniffer packet JGrimshaw (Oct 30)
- Re: Possible Trojan. John T. Hoffoss (Oct 29)