[Dshield] tethereal question + routing question
aaron at adldatacomm.net
Thu Apr 6 14:48:55 GMT 2006
Depending on the switch that you have, you can most likely obtain the
desired information from there. As an example I know that on a Cisco device
there is a slew of information gathered on the switch which is very useful
in tracking machines, especially since you can see what port they're hanging
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Pete Cap
Sent: Wednesday, April 05, 2006 3:29 PM
To: list at lists.dshield.org
Subject: [Dshield] tethereal question + routing question
I am currently doing on-site mitigation. Trying to track down a couple of
boxes and I'm running into some snags. Could use some advice on the
First, I have got a snort box doing full packet captures in a good spot,
trying to find my bad guy AND get a feel for what traffic is zooming about.
I figured I could just configure tethereal to output some basic fields
(timestamp, source/destination IP/port/mac, etc.). Unfortunately, instead
of printing out blank fields, if data is missing for a field then tethereal
will just print another field where that one is supposed to go. For
example, if the fields go "source ip,source port,destination ip,destination
port" then you will have four fields for normal TCP/IP traffic. For ICMP
packets, though, you will only see a line with "source ip,destination ip."
What I need is something like "source ip,,destination ip,".
Second question...I'm trying to track down these IPs but the only MAC
addresses I'm seeing are the interfaces for the premise router. I think if
I get the ARP tables then that should tell me what devices are hanging off
that router, but isn't there a way to do that for all switches, remotely? I
seem to remember a whitepaper about that subject last year, for a cisco
environment, but I can't find it. Any other advice would be appreciated.
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.
Learn about Intrusion Detection in Depth from the comfort of your own couch:
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list