SV: Interesting sniffer packet

[Thomas Westlund <thomas.westlund () prioritytelecom no>]

Hi,

> non-changing packet number of 2863311531.  I captured traffic for an hour 
> and 99% of these "fluff" packets were that packet number.

This suggests to me that it is actually the same packet, sounds to me like
you've got
some kind of loop in your network.

As to whats generating it, I really havent got any good ideas at the moment.

Hope this points you in the right direction.

-- 
Thomas Westlund
Priority Telecom Norway AS 



-----Opprinnelig melding-----
Fra: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sendt: 30.10.2003 19:35
Til: security-basics () securityfocus com
Emne: Fw: Interesting sniffer packet


I think I've managed to pinpoint this to some errant IPX traffic on the 
network.  The responses to the packets were like finding a needle in a 
haystack, but when I sniffed again before the business day started, I saw 
some printers and a file server all communicating with SAP--and 
apparently, there is not supposed to be IPX in use here..  The similarity 
was in the packet number (it was the same number).

I'm still unsure of what the source address and destination address is; 
they aren't broadcast, but I am not sure how to classify them.





JGrimshaw () ASAP com 
10/29/2003 04:44 PM

To

cc
security-basics () securityfocus com
Subject
Interesting sniffer packet






Hi All,

Has anyone seen this?  I am not sure what to make of it.

The source address is 00:00:01:01:01:01 and the destination address is 
00:00:FF:FF:FF:FF.

The byte count is 504, and I'm getting about 50k per second of this on 
just about every vlan I have.  Interestingly enough, my traffic has not 
been affected by it.

The packet analysis suggests it's an 802.3 LLC packet  and it has a mostly 


non-changing packet number of 2863311531.  I captured traffic for an hour 
and 99% of these "fluff" packets were that packet number.

I monitored port activity and there isn't anything that bursting at 50k 
for very long--anything with big amounts of traffic seem normal (like a 
router, file and print, etc).

It's not causing a problem, but it is something that I none of us here 
have seen.  Since it's on all vlans (and no ports are acting funny), I'm 
at a loss as to what could be generating it.    Does anyone have any 
ideas? 






---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security 
to 
simplify the management and deployment of PGP and reduce overall PGP costs 


by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------