RE: ethereal capture

["Fields, James" <James.Fields () bcbsfl com>]

To make sure I understand, you're seeing traffic where:
1) neither the source nor destination addresses belong to the port you
have spanned at the switch
2) neither the source nor destination is the IP address of the
workstation where you are running Ethereal
3) the destination is not an IP broadcast or an Ethernet MAC broadcast?

If all those are correct, it is possible that there is a problem with
the switch, either a configuration problem or a bug in the code (since
these are categorized as "fast Ethernet" ports I am assuming this is a
switch running a router type IOS rather than CatOS).  Does the switch
support having multiple ports spanned to your monitor port?  Possible
that an earlier admin/user set up a port to be monitored and that you
are getting both ports' traffic?

-----Original Message-----
From: Cat Thrasher [mailto:isd607 () co santa-cruz ca us] 
Sent: Wednesday, September 17, 2003 7:18 PM
To: security-basics () securityfocus com
Subject: ethereal capture

Hi, Please advise on my question.
I thought when you are sniffing a switched segment, you are only seeing
broadcast traffic. I see source Workstation(not the one I am monitoring
on)--Dest Webserver inside on my network and protocol http. Please tell
me if this is usual.

I have ethereal on a laptop. I did a port monitor on a Cisco Switch and
captured traffic from one port. (so I thought) I thought I'd only see
what the workstation on port fast ethernet 0/ 38 was doing. But like I
said above, I see lots of http conversations and tcp conversations where
the dest port is not all F's, or 255's. And the source is not the
workstation on the port I am monitoring.

Thanks alot.


Cat Thrasher

------------------------------------------------------------------------
---
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
------------------------------------------------------------------------
----





Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or 
omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue 
Shield of Florida, Inc.  The information contained in this document may be confidential and intended solely for the use 
of the individual or entity to whom it is addressed.  This document may contain material that is privileged or 
protected from disclosure under applicable law.  If you are not the intended recipient or the individual responsible 
for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of 
this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK 
YOU.



---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------