RE: general sniffer question

From: Jeff Miller (jrm.wa@verizon.net)
Date: 09/10/01 

From: "Jeff Miller" <jrm.wa@verizon.net>
To: <security-basics@securityfocus.com>
Subject: RE: general sniffer question
Date: Sun, 9 Sep 2001 15:44:16 -0700
Message-ID: <000501c13980$f522a4d0$46ac2204@jrmathome>

As far as getting an IP that's associated with a MAC address, one trick I've
used extensively is to go to the nearest router, log output to a file and
display it's ARP table (sh arp on Cisco). Then you can search for your
target MAC address and view it's associated IP address.

-----Original Message-----
From: theog@yoda.dnsq.org [mailto:theog@yoda.dnsq.org]
Sent: Thursday, September 06, 2001 2:13 AM
To: leon
Cc: security-basics@securityfocus.com
Subject: RE: general sniffer question

Well I think with the sniffer you'r using you can filter what you sniff
, try focusing on collecting only the data you need for analyzing , How
many ethernet machines are connected to your lan? it is possible that
what you saw was normal you simply never check , maybe you need further
subnetting ...

TheOG

On Wed, 5 Sep 2001, leon wrote:

> Right but they never stopped blinking. I must have not made that clear.
> The lights just kept flashing like a Christmas tree (minus the pretty
> colors). So this storm lasted for as long as it took us to track down
> the router.
>
> -----Original Message-----
> From: theog@yoda.dnsq.org [mailto:theog@yoda.dnsq.org]
> Sent: Wednesday, September 05, 2001 9:03 PM
> To: leon
> Cc: security-basics@securityfocus.com
> Subject: Re: general sniffer question
>
> It is possible that what you saw was ARP broadcasts , ARP IS part of the
> tcp\ip protocol stack , even though the machines are using tcp\ip as a
> communication protocol , they need the MAC address of each card , an ip
> is a logical representation of the machine , how will one computer know
> the physical location of another? when you communicate over ether net ,
> your computer takes the ip address and try's to find the MAC address
> (i.e. ethernet card matching to it ) for the ip , it does that by
> broadcasting arp packets , then it saves it into a cache (arp cache) for
> a predefined TTL , the fact that you saw your router's password
> indicates you saw a packet going through the default gateway (which also
> uses arp as any ethernet device.
>
> TheOG
>
> On Fri, 31 Aug 2001, leon wrote:
>
> > Hi all,
> >
> > I am a little confused by what I am seeing in the sniffer logs and I
> was
> > wondering if someone could help me out. First a little background I
> am
> > trying to sniff on a switched network without attacking the switches
> (ie
> > like flooding the arp table). I know that I should be able to see
> > broadcast traffic because everyone sees it but I am actually seeing
> > other peoples packets that are not broadcast packets. How is that
> > possible???? I thought the whole concept behind the switch was that
> the
> > traffic was isolated (via separate collision domains.) Not only that
> > but in the program I am using (Sniffer Pro 4.5) I am seeing broadcast
> > traffic for "devices" (the device has a mac address) that don't have
> IP
> > addys. That seems weird as I assumed everything would need to have an
> > IP addy to communicate via tcp/ip. I guess maybe this devices is
> > talking via another protocol at layer 2?
> >
> > So since I couldn't find the ip addy of the machine I looked up who
> > owned the the mac-addy on a website. Note helpful website alert
> > http://www.coffer.com/mac_find/ and found that the mac address was
> owned
> > by company that mad the router. So here are my questions. How is it
> > possible for me to see other peoples traffic (non broadcast) on the
> > switch without attacking it or it malfunctioning. Also why would the
> > router have a mac address and it not be matched up to an ip? Further
> I
> > wonder if anyone has suggestions for tracking devices down in the
> future
> > when you don't have there ip and only a mac addy? I used windows to
> see
> > all the macs of pcs and I know with hp's and some printers you can
> print
> > out configurations but what about those you cant? Do other people
> just
> > goto a website like I did?
> >
> > Thoughts, comments, answers, flames?
> > Public or private
> >
> > Thx
> >
> > Leon
> >
>
> 

--

Relevant Pages

  • RE: general sniffer question
    ... Subject: general sniffer question ... It is possible that what you saw was ARP broadcasts, ... communication protocol, they need the MAC address of each card, an ip ... > other peoples packets that are not broadcast packets. ...
    (Security-Basics)
  • Re: general sniffer question
    ... It is possible that what you saw was ARP broadcasts, ... communication protocol, they need the MAC address of each card, an ip ... > other peoples packets that are not broadcast packets. ...
    (Security-Basics)
  • RE: general sniffer question
    ... Subject: general sniffer question ... > It is possible that what you saw was ARP broadcasts, ... > communication protocol, they need the MAC address of each card, an ip ... >> other peoples packets that are not broadcast packets. ...
    (Security-Basics)
  • RE: Running Ethernet without ARP
    ... This is the overly-short version of how things like the arp ... Again you could use the IP broadcast address and ... and without hand-coded MAC address limiting peer tables, ... receiver endpoint/processor on the public machine, wrap the *entire* packet into ...
    (Linux-Kernel)
  • Re: [SLE] ethereal
    ... ARP is "address resolution protocol". ... ethernet connections are between hardware or MAC addresses, ... address of your ethernet card -- and obviously (I hope it's obvious ... most often consisting only of your gateway. ...
    (SuSE)