Security Basics mailing list archives
RE: ethereal capture
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Thu, 18 Sep 2003 11:18:22 -0400
To make sure I understand, you're seeing traffic where: 1) neither the source nor destination addresses belong to the port you have spanned at the switch 2) neither the source nor destination is the IP address of the workstation where you are running Ethereal 3) the destination is not an IP broadcast or an Ethernet MAC broadcast? If all those are correct, it is possible that there is a problem with the switch, either a configuration problem or a bug in the code (since these are categorized as "fast Ethernet" ports I am assuming this is a switch running a router type IOS rather than CatOS). Does the switch support having multiple ports spanned to your monitor port? Possible that an earlier admin/user set up a port to be monitored and that you are getting both ports' traffic? -----Original Message----- From: Cat Thrasher [mailto:isd607 () co santa-cruz ca us] Sent: Wednesday, September 17, 2003 7:18 PM To: security-basics () securityfocus com Subject: ethereal capture Hi, Please advise on my question. I thought when you are sniffing a switched segment, you are only seeing broadcast traffic. I see source Workstation(not the one I am monitoring on)--Dest Webserver inside on my network and protocol http. Please tell me if this is usual. I have ethereal on a laptop. I did a port monitor on a Cisco Switch and captured traffic from one port. (so I thought) I thought I'd only see what the workstation on port fast ethernet 0/ 38 was doing. But like I said above, I see lots of http conversations and tcp conversations where the dest port is not all F's, or 255's. And the source is not the workstation on the port I am monitoring. Thanks alot. Cat Thrasher ------------------------------------------------------------------------ --- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ------------------------------------------------------------------------ ---- Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU. --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- ethereal capture Cat Thrasher (Sep 17)
- Re: ethereal capture Matt Simmons (Sep 18)
- Re: ethereal capture ericbrouwers (Sep 22)
- <Possible follow-ups>
- RE: ethereal capture Tenorio, Leandro (Sep 18)
- RE: ethereal capture Hagen, Eric (Sep 18)
- RE: ethereal capture Fields, James (Sep 18)