Snort mailing list archives
Re: [tcpdump-workers] Unknow packet
From: Guy Harris <guy () netapp com>
Date: Wed, 16 Jan 2002 14:43:34 -0800 (PST)
I have been experimenting with writing a sniffer in Perl. While testing the script I received the packet below. The ScrMac is of my layer3 switch and I do not know the DestMAC. This has me worried.
It's a Cisco Discovery Protocol packet, and the destination MAC is a multicast MAC rather than a unicast MAC (CDP packets are multicast), so it won't be the MAC address of *any* of the machines on your network (or of any machine anywhere on the planet).
I have tried Analyzer, Ethereal, Optimal, and Tcpdump but they drop the packet for some reason (this is an assumption; I never see the packet in their output).
There is no reason why Ethereal or tcpdump would drop that packet, unless they were run with a capture filter that would exclude CDP packets. Perhaps the packet gets lost somewhere else, but if your sniffer is using libpcap/WinPcap, it gets the same stuff that Analyzer, Ethereal, and tcpdump/WinDump would get when run on the same machine, if you capture on the same interface using the same packet filter. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unknow packet Flowers, Jay (Jan 16)
- Re: [tcpdump-workers] Unknow packet Guy Harris (Jan 16)
- Re: [Ethereal-users] Unknow packet Justin C . Walker (Jan 16)
- Re: Re: [Ethereal-users] Unknow packet Corne van Strien (Jan 17)
- <Possible follow-ups>
- FW: Unknow packet Madziarczyk, Jonathan (Jan 16)