Snort mailing list archives
FW: Unknow packet
From: "Madziarczyk, Jonathan" <than () cityofevanston org>
Date: Wed, 16 Jan 2002 17:04:11 -0600
Off the top of my head I would say this is a CDP packet (broadcast). Odd that you don't see it on Ethereal, I recall seeing them before and labeled as such. You can confirm this by doing a "no cdp enable" on your interface (looks like it's FastEthernet0) and see if it goes away. Remember you will want CDP if you have other Cisco devices (or Cisco Works/OpenView) on that same interface. Other than that, turning it off shouldn't hurt a thing. Hope this helps, JonM --If you're not living on the edge, you're taking up too much space. -----Original Message----- From: Flowers, Jay [mailto:Jay_Flowers () CHCSII COM] Sent: Wednesday, January 16, 2002 4:27 PM To: ethereal-users () ethereal com; intrusions () incidents org; Snort-Users@Lists. Sourceforge. Net (snort-users () lists sourceforge net); tcpdump-workers () sandelman ottawa on ca Subject: [Snort-users] Unknow packet I have been experimenting with writing a sniffer in Perl. While testing the script I received the packet below. The ScrMac is of my layer3 switch and I do not know the DestMAC. This has me worried. I have tried Analyzer, Ethereal, Optimal, and Tcpdump but they drop the packet for some reason (this is an assumption; I never see the packet in their output). Any insight would be great. ScrMAC: 000628a08e07 DestMAC: 01000ccccccc Data: 00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF 00000000 01 00 0C CC CC CC 00 06 - 28 A0 8E 07 01 45 AA AA ........(....E.. 00000010 03 00 00 0C 20 00 01 B4 - 7F 49 00 01 00 19 4D 61 .... ....I....Ma 00000020 69 6E 53 77 69 74 63 68 - 2E 63 68 63 73 69 69 2E inSwitch.chcsii. 00000030 63 6F 6D 00 02 00 11 00 - 00 00 01 01 01 CC 00 04 com............. 00000040 C0 BE 01 01 00 03 00 11 - 46 61 73 74 45 74 68 65 ........FastEthe 00000050 72 6E 65 74 31 00 04 00 - 08 00 00 00 03 00 05 00 rnet1........... 00000060 E4 43 69 73 63 6F 20 49 - 6E 74 65 72 6E 65 74 77 .Cisco Internetw 00000070 6F 72 6B 20 4F 70 65 72 - 61 74 69 6E 67 20 53 79 ork Operating Sy 00000080 73 74 65 6D 20 53 6F 66 - 74 77 61 72 65 20 0A 49 stem Software .I 00000090 4F 53 20 28 74 6D 29 20 - 4C 33 20 53 77 69 74 63 OS (tm) L3 Switc 000000A0 68 2F 52 6F 75 74 65 72 - 20 53 6F 66 74 77 61 72 h/Router Softwar 000000B0 65 20 28 43 41 54 32 39 - 34 38 47 2D 49 4E 2D 4D e (CAT2948G-IN-M 000000C0 29 2C 20 56 65 72 73 69 - 6F 6E 20 31 32 2E 30 28 ), Version 12.0( 000000D0 37 29 57 35 28 31 35 64 - 29 20 20 52 45 4C 45 41 7)W5(15d) RELEA 000000E0 53 45 20 53 4F 46 54 57 - 41 52 45 20 0A 43 6F 70 SE SOFTWARE .Cop 000000F0 79 72 69 67 68 74 20 28 - 63 29 20 31 39 38 36 2D yright (c) 1986- 00000100 32 30 30 30 20 62 79 20 - 63 69 73 63 6F 20 53 79 2000 by cisco Sy 00000110 73 74 65 6D 73 2C 20 49 - 6E 63 2E 0A 43 6F 6D 70 stems, Inc..Comp 00000120 69 6C 65 64 20 4D 6F 6E - 20 30 35 2D 4A 75 6E 2D iled Mon 05-Jun- 00000130 30 30 20 31 36 3A 31 36 - 20 62 79 20 69 6E 74 65 00 16:16 by inte 00000140 67 00 06 00 12 63 69 73 - 63 6F 20 43 61 74 32 39 g....cisco Cat29 00000150 34 38 47 48G thanks Jay Flowers Integic Health Care _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unknow packet Flowers, Jay (Jan 16)
- Re: [tcpdump-workers] Unknow packet Guy Harris (Jan 16)
- Re: [Ethereal-users] Unknow packet Justin C . Walker (Jan 16)
- Re: Re: [Ethereal-users] Unknow packet Corne van Strien (Jan 17)
- <Possible follow-ups>
- FW: Unknow packet Madziarczyk, Jonathan (Jan 16)