Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Interesting sniffer packet

From: JGrimshaw () ASAP com
Date: Wed, 29 Oct 2003 16:44:20 -0600
Hi All,

Has anyone seen this?  I am not sure what to make of it.

The source address is 00:00:01:01:01:01 and the destination address is 
00:00:FF:FF:FF:FF.

The byte count is 504, and I'm getting about 50k per second of this on 
just about every vlan I have.  Interestingly enough, my traffic has not 
been affected by it.

The packet analysis suggests it's an 802.3 LLC packet  and it has a mostly 
non-changing packet number of 2863311531.  I captured traffic for an hour 
and 99% of these "fluff" packets were that packet number.

I monitored port activity and there isn't anything that bursting at 50k 
for very long--anything with big amounts of traffic seem normal (like a 
router, file and print, etc).

It's not causing a problem, but it is something that I none of us here 
have seen.  Since it's on all vlans (and no ports are acting funny), I'm 
at a loss as to what could be generating it.    Does anyone have any 
ideas? 






---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: