Snort mailing list archives

Re: [tcpdump-workers] Unknow packet

From: Guy Harris <guy () netapp com>
Date: Wed, 16 Jan 2002 14:43:34 -0800 (PST)

I have been experimenting with writing a sniffer in Perl.  While testing the
script I received the packet below.  The ScrMac is of my layer3 switch and I
do not know the DestMAC.  This has me worried.


It's a Cisco Discovery Protocol packet, and the destination MAC is a
multicast MAC rather than a unicast MAC (CDP packets are multicast), so
it won't be the MAC address of *any* of the machines on your network (or
of any machine anywhere on the planet).

I have tried Analyzer,
Ethereal, Optimal, and Tcpdump but they drop the packet for some reason
(this is an assumption; I never see the packet in their output).


There is no reason why Ethereal or tcpdump would drop that packet,
unless they were run with a capture filter that would exclude CDP
packets.  Perhaps the packet gets lost somewhere else, but if your
sniffer is using libpcap/WinPcap, it gets the same stuff that Analyzer,
Ethereal, and tcpdump/WinDump would get when run on the same machine, if
you capture on the same interface using the same packet filter.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Unknow packet Flowers, Jay (Jan 16)
- Re: [tcpdump-workers] Unknow packet Guy Harris (Jan 16)
- Re: [Ethereal-users] Unknow packet Justin C . Walker (Jan 16)
  - Re: Re: [Ethereal-users] Unknow packet Corne van Strien (Jan 17)
- <Possible follow-ups>
- FW: Unknow packet Madziarczyk, Jonathan (Jan 16)