Snort mailing list archives
Re: Re: [Ethereal-users] Unknow packet
From: "Corne van Strien" <strien () atilas nl>
Date: Thu, 17 Jan 2002 13:10:38 +0100
Hi, Regarding:
I have been experimenting with writing a sniffer in Perl. While testing the script I received the packet below. The ScrMac is of my layer3 switch and I do not know the DestMAC. This has me worried. I have tried Analyzer, Ethereal, Optimal, and Tcpdump but they drop the packet for some reason (this is an assumption; I never see the packet in their output). Any insight would be great. ScrMAC: 000628a08e07 DestMAC: 01000ccccccc Data:It doesn't appear to be dangerous. The destination address, "01000ccccccc", is a multicast address belonging to Cisco. I would guess it is something like a "Hey, cisco routers, anyone else here" or "Hey, I'm a cisco routers; what's up" kind of message. You could check out your cisco routers and verify that one of them is the sender.
This is from the Cisco Discovery Protocol: a protocol used by Cisco equipment for discovering other cisco equipment and build a table containing all neighboring Cisco equipment. CDP is sometimes used by some Network management programs like CiscoWorks, it is also used for troubleshooting. In IOS based components you can typically disable this using: "no cdp enable" on a specific interface, or "no cdp run" to disable CDP completely. For other systems you might have to walk through some menu from the console (or telnet). CDP is enabled on Cisco routers by default. In IOS based Cisco devices ou can see neighboring Cisco devices using "show cdp neighbors". There are some security issues with CDP. see: http://www.cisco.com/warp/public/707/cdp_issue.shtml See also http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 t/120t3/cdpadds.htm for detailed information about CDP See also: http://nsa1.www.conxion.com/cisco/index.html For detailed instructions for safely configuring Cisco routers. Kind Regards, Corne van Strien, CCNA
Regards, Justin00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF 00000000 01 00 0C CC CC CC 00 06 - 28 A0 8E 07 01 45 AA AA ........(....E.. 00000010 03 00 00 0C 20 00 01 B4 - 7F 49 00 01 00 19 4D 61 .... ....I....Ma 00000020 69 6E 53 77 69 74 63 68 - 2E 63 68 63 73 69 69 2E inSwitch.chcsii. 00000030 63 6F 6D 00 02 00 11 00 - 00 00 01 01 01 CC 00 04 com............. 00000040 C0 BE 01 01 00 03 00 11 - 46 61 73 74 45 74 68 65 ........FastEthe 00000050 72 6E 65 74 31 00 04 00 - 08 00 00 00 03 00 05 00 rnet1........... 00000060 E4 43 69 73 63 6F 20 49 - 6E 74 65 72 6E 65 74 77 .Cisco Internetw 00000070 6F 72 6B 20 4F 70 65 72 - 61 74 69 6E 67 20 53 79 ork Operating Sy 00000080 73 74 65 6D 20 53 6F 66 - 74 77 61 72 65 20 0A 49 stem Software .I 00000090 4F 53 20 28 74 6D 29 20 - 4C 33 20 53 77 69 74 63 OS (tm) L3 Switc 000000A0 68 2F 52 6F 75 74 65 72 - 20 53 6F 66 74 77 61 72 h/Router Softwar 000000B0 65 20 28 43 41 54 32 39 - 34 38 47 2D 49 4E 2D 4D e (CAT2948G-IN-M 000000C0 29 2C 20 56 65 72 73 69 - 6F 6E 20 31 32 2E 30 28 ), Version 12.0( 000000D0 37 29 57 35 28 31 35 64 - 29 20 20 52 45 4C 45 41 7)W5(15d) RELEA 000000E0 53 45 20 53 4F 46 54 57 - 41 52 45 20 0A 43 6F 70 SE SOFTWARE .Cop 000000F0 79 72 69 67 68 74 20 28 - 63 29 20 31 39 38 36 2D yright (c) 1986- 00000100 32 30 30 30 20 62 79 20 - 63 69 73 63 6F 20 53 79 2000 by cisco Sy 00000110 73 74 65 6D 73 2C 20 49 - 6E 63 2E 0A 43 6F 6D 70 stems, Inc..Comp 00000120 69 6C 65 64 20 4D 6F 6E - 20 30 35 2D 4A 75 6E 2D iled Mon 05-Jun- 00000130 30 30 20 31 36 3A 31 36 - 20 62 79 20 69 6E 74 65 00 16:16 by inte 00000140 67 00 06 00 12 63 69 73 - 63 6F 20 43 61 74 32 39 g....cisco Cat29 00000150 34 38 47 48G thanks Jay Flowers Integic Health Care _______________________________________________ Ethereal-users mailing list Ethereal-users () ethereal com http://www.ethereal.com/mailman/listinfo/ethereal-users-- Justin C. Walker, Curmudgeon-At-Large * Institute for General Semantics | When LuteFisk is outlawed | Only outlaws will have | LuteFisk *--------------------------------------*-------------------------------* _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unknow packet Flowers, Jay (Jan 16)
- Re: [tcpdump-workers] Unknow packet Guy Harris (Jan 16)
- Re: [Ethereal-users] Unknow packet Justin C . Walker (Jan 16)
- Re: Re: [Ethereal-users] Unknow packet Corne van Strien (Jan 17)
- <Possible follow-ups>
- FW: Unknow packet Madziarczyk, Jonathan (Jan 16)