Security Basics mailing list archives
Fw: Interesting sniffer packet
From: JGrimshaw () ASAP com
Date: Thu, 30 Oct 2003 12:35:25 -0600
I think I've managed to pinpoint this to some errant IPX traffic on the network. The responses to the packets were like finding a needle in a haystack, but when I sniffed again before the business day started, I saw some printers and a file server all communicating with SAP--and apparently, there is not supposed to be IPX in use here.. The similarity was in the packet number (it was the same number). I'm still unsure of what the source address and destination address is; they aren't broadcast, but I am not sure how to classify them. JGrimshaw () ASAP com 10/29/2003 04:44 PM To cc security-basics () securityfocus com Subject Interesting sniffer packet Hi All, Has anyone seen this? I am not sure what to make of it. The source address is 00:00:01:01:01:01 and the destination address is 00:00:FF:FF:FF:FF. The byte count is 504, and I'm getting about 50k per second of this on just about every vlan I have. Interestingly enough, my traffic has not been affected by it. The packet analysis suggests it's an 802.3 LLC packet and it has a mostly non-changing packet number of 2863311531. I captured traffic for an hour and 99% of these "fluff" packets were that packet number. I monitored port activity and there isn't anything that bursting at 50k for very long--anything with big amounts of traffic seem normal (like a router, file and print, etc). It's not causing a problem, but it is something that I none of us here have seen. Since it's on all vlans (and no ports are acting funny), I'm at a loss as to what could be generating it. Does anyone have any ideas? --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Fw: Interesting sniffer packet JGrimshaw (Oct 30)