[Dshield] tethereal question + routing question

Aaron Lewis aaron at adldatacomm.net
Thu Apr 6 14:51:46 GMT 2006


I'm sorry I left something out. Telnet or SSH to the switch. After your in
EXEC mode type 'show arp' and 'show mac-address-table'

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Pete Cap
Sent: Wednesday, April 05, 2006 3:29 PM
To: list at lists.dshield.org
Subject: [Dshield] tethereal question + routing question


List,

 I am currently doing on-site mitigation.  Trying to track down a couple of
boxes and I'm running into some snags.  Could use some advice on the
following.

 First, I have got a snort box doing full packet captures in a good spot,
trying to find my bad guy AND get a feel for what traffic is zooming about.
I figured I could just configure tethereal to output some basic fields
(timestamp, source/destination IP/port/mac, etc.).  Unfortunately, instead
of printing out blank fields, if data is missing for a field then tethereal
will just print another field where that one is supposed to go.  For
example, if the fields go "source ip,source port,destination ip,destination
port" then you will have four fields for normal TCP/IP traffic.  For ICMP
packets, though, you will only see a line with "source ip,destination ip."
What I need is something like "source ip,,destination ip,".

 Second question...I'm trying to track down these IPs but the only MAC
addresses I'm seeing are the interfaces for the premise router.  I think if
I get the ARP tables then that should tell me what devices are hanging off
that router, but isn't there a way to do that for all switches, remotely?  I
seem to remember a whitepaper about that subject last year, for a cisco
environment, but I can't find it.  Any other advice would be appreciated.

 Thanks,

 Pete


---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list