[Dshield] tethereal question + routing question
peteoutside at yahoo.com
Wed Apr 5 19:29:20 GMT 2006
I am currently doing on-site mitigation. Trying to track down a couple of boxes and I'm running into some snags. Could use some advice on the following.
First, I have got a snort box doing full packet captures in a good spot, trying to find my bad guy AND get a feel for what traffic is zooming about. I figured I could just configure tethereal to output some basic fields (timestamp, source/destination IP/port/mac, etc.). Unfortunately, instead of printing out blank fields, if data is missing for a field then tethereal will just print another field where that one is supposed to go. For example, if the fields go "source ip,source port,destination ip,destination port" then you will have four fields for normal TCP/IP traffic. For ICMP packets, though, you will only see a line with "source ip,destination ip." What I need is something like "source ip,,destination ip,".
Second question...I'm trying to track down these IPs but the only MAC addresses I'm seeing are the interfaces for the premise router. I think if I get the ARP tables then that should tell me what devices are hanging off that router, but isn't there a way to do that for all switches, remotely? I seem to remember a whitepaper about that subject last year, for a cisco environment, but I can't find it. Any other advice would be appreciated.
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
More information about the list