RE: general sniffer question

From: theog@yoda.dnsq.org
Date: 09/06/01

Previous message: Jonathan Goetsch: "Network Based VPN's / Qwest as the Telecomm God"
In reply to: leon: "RE: general sniffer question"
Next in thread: Jeff Miller: "RE: general sniffer question"
Next in thread: jnf: "Re: general sniffer question"
Reply: Jeff Miller: "RE: general sniffer question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 6 Sep 2001 05:13:22 -0400 (EDT)
From: <theog@yoda.dnsq.org>
To: leon <leon@inyc.com>
Subject: RE: general sniffer question
Message-ID: <Pine.LNX.4.33.0109060510240.21684-100000@yoda.dnsq.org>

Well I think with the sniffer you'r using you can filter what you sniff
, try focusing on collecting only the data you need for analyzing , How
many ethernet machines are connected to your lan? it is possible that
what you saw was normal you simply never check , maybe you need further
subnetting ...

TheOG

On Wed, 5 Sep 2001, leon wrote:

> Right but they never stopped blinking. I must have not made that clear.
> The lights just kept flashing like a Christmas tree (minus the pretty
> colors). So this storm lasted for as long as it took us to track down
> the router.
>
> -----Original Message-----
> From: theog@yoda.dnsq.org [mailto:theog@yoda.dnsq.org]
> Sent: Wednesday, September 05, 2001 9:03 PM
> To: leon
> Cc: security-basics@securityfocus.com
> Subject: Re: general sniffer question
>
> It is possible that what you saw was ARP broadcasts , ARP IS part of the
> tcp\ip protocol stack , even though the machines are using tcp\ip as a
> communication protocol , they need the MAC address of each card , an ip
> is a logical representation of the machine , how will one computer know
> the physical location of another? when you communicate over ether net ,
> your computer takes the ip address and try's to find the MAC address
> (i.e. ethernet card matching to it ) for the ip , it does that by
> broadcasting arp packets , then it saves it into a cache (arp cache) for
> a predefined TTL , the fact that you saw your router's password
> indicates you saw a packet going through the default gateway (which also
> uses arp as any ethernet device.
>
> TheOG
>
> On Fri, 31 Aug 2001, leon wrote:
>
> > Hi all,
> >
> > I am a little confused by what I am seeing in the sniffer logs and I
> was
> > wondering if someone could help me out. First a little background I
> am
> > trying to sniff on a switched network without attacking the switches
> (ie
> > like flooding the arp table). I know that I should be able to see
> > broadcast traffic because everyone sees it but I am actually seeing
> > other peoples packets that are not broadcast packets. How is that
> > possible???? I thought the whole concept behind the switch was that
> the
> > traffic was isolated (via separate collision domains.) Not only that
> > but in the program I am using (Sniffer Pro 4.5) I am seeing broadcast
> > traffic for "devices" (the device has a mac address) that don't have
> IP
> > addys. That seems weird as I assumed everything would need to have an
> > IP addy to communicate via tcp/ip. I guess maybe this devices is
> > talking via another protocol at layer 2?
> >
> > So since I couldn't find the ip addy of the machine I looked up who
> > owned the the mac-addy on a website. Note helpful website alert
> > http://www.coffer.com/mac_find/ and found that the mac address was
> owned
> > by company that mad the router. So here are my questions. How is it
> > possible for me to see other peoples traffic (non broadcast) on the
> > switch without attacking it or it malfunctioning. Also why would the
> > router have a mac address and it not be matched up to an ip? Further
> I
> > wonder if anyone has suggestions for tracking devices down in the
> future
> > when you don't have there ip and only a mac addy? I used windows to
> see
> > all the macs of pcs and I know with hp's and some printers you can
> print
> > out configurations but what about those you cant? Do other people
> just
> > goto a website like I did?
> >
> > Thoughts, comments, answers, flames?
> > Public or private
> >
> > Thx
> >
> > Leon
> >
>
>

--

Previous message: Jonathan Goetsch: "Network Based VPN's / Qwest as the Telecomm God"
In reply to: leon: "RE: general sniffer question"
Next in thread: Jeff Miller: "RE: general sniffer question"
Next in thread: jnf: "Re: general sniffer question"
Reply: Jeff Miller: "RE: general sniffer question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: general sniffer question
... Subject: general sniffer question ... It is possible that what you saw was ARP broadcasts, ... communication protocol, they need the MAC address of each card, an ip ... > other peoples packets that are not broadcast packets. ...
(Security-Basics)
Re: general sniffer question
... It is possible that what you saw was ARP broadcasts, ... communication protocol, they need the MAC address of each card, an ip ... > other peoples packets that are not broadcast packets. ...
(Security-Basics)
RE: Running Ethernet without ARP
... This is the overly-short version of how things like the arp ... Again you could use the IP broadcast address and ... and without hand-coded MAC address limiting peer tables, ... receiver endpoint/processor on the public machine, wrap the *entire* packet into ...
(Linux-Kernel)
RE: general sniffer question
... Subject: general sniffer question ... As far as getting an IP that's associated with a MAC address, ... display it's ARP table. ... >> other peoples packets that are not broadcast packets. ...
(Security-Basics)
RE: general sniffer question
... Subject: general sniffer question ... > communication protocol, they need the MAC address of each card, an ip ... I thought the whole concept behind the switch was that the ... >> IP addy to communicate via tcp/ip. ...
(Security-Basics)