Security Basics mailing list archives

ethereal capture

From: "Cat Thrasher" <isd607 () co santa-cruz ca us>
Date: Wed, 17 Sep 2003 16:17:39 -0700

Hi, Please advise on my question.
I thought when you are sniffing a switched segment, you are only seeing broadcast traffic. I see source Workstation(not 
the one I am monitoring on)--Dest Webserver inside on my network and protocol http. Please tell me if this is usual.

I have ethereal on a laptop. I did a port monitor on a Cisco Switch and captured traffic from one port. (so I thought) 
I thought I'd only see what the workstation on port fast ethernet 0/ 38 was doing. But like I said above, I see lots of 
http conversations and tcp conversations where the dest port is not all F's, or 255's. And the source is not the 
workstation on the port I am monitoring.

Thanks alot.


Cat Thrasher

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

ethereal capture Cat Thrasher (Sep 17)
- Re: ethereal capture Matt Simmons (Sep 18)
- Re: ethereal capture ericbrouwers (Sep 22)
- <Possible follow-ups>
- RE: ethereal capture Tenorio, Leandro (Sep 18)
- RE: ethereal capture Hagen, Eric (Sep 18)
- RE: ethereal capture Fields, James (Sep 18)