Security Basics mailing list archives
SV: Interesting sniffer packet
From: Thomas Westlund <thomas.westlund () prioritytelecom no>
Date: Fri, 31 Oct 2003 09:10:50 +0100
Hi,
non-changing packet number of 2863311531. I captured traffic for an hour and 99% of these "fluff" packets were that packet number.
This suggests to me that it is actually the same packet, sounds to me like you've got some kind of loop in your network. As to whats generating it, I really havent got any good ideas at the moment. Hope this points you in the right direction. -- Thomas Westlund Priority Telecom Norway AS -----Opprinnelig melding----- Fra: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com] Sendt: 30.10.2003 19:35 Til: security-basics () securityfocus com Emne: Fw: Interesting sniffer packet I think I've managed to pinpoint this to some errant IPX traffic on the network. The responses to the packets were like finding a needle in a haystack, but when I sniffed again before the business day started, I saw some printers and a file server all communicating with SAP--and apparently, there is not supposed to be IPX in use here.. The similarity was in the packet number (it was the same number). I'm still unsure of what the source address and destination address is; they aren't broadcast, but I am not sure how to classify them. JGrimshaw () ASAP com 10/29/2003 04:44 PM To cc security-basics () securityfocus com Subject Interesting sniffer packet Hi All, Has anyone seen this? I am not sure what to make of it. The source address is 00:00:01:01:01:01 and the destination address is 00:00:FF:FF:FF:FF. The byte count is 504, and I'm getting about 50k per second of this on just about every vlan I have. Interestingly enough, my traffic has not been affected by it. The packet analysis suggests it's an 802.3 LLC packet and it has a mostly non-changing packet number of 2863311531. I captured traffic for an hour and 99% of these "fluff" packets were that packet number. I monitored port activity and there isn't anything that bursting at 50k for very long--anything with big amounts of traffic seem normal (like a router, file and print, etc). It's not causing a problem, but it is something that I none of us here have seen. Since it's on all vlans (and no ports are acting funny), I'm at a loss as to what could be generating it. Does anyone have any ideas? --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- SV: Interesting sniffer packet Thomas Westlund (Nov 03)