Ethereal-users: RE: [Ethereal-users] Possible Protocol Mismatch

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Visser, Martin (Sydney)" <martin.visser@xxxxxx>
Date: Tue, 3 Jun 2003 12:07:46 +1000
The choice of protocol decode is based on the best-available information
in the PDU headers,working down the tree so to speak. If the IP
addresses are unknown to you, it is possible that you have some physical
issue on the network which is corrupting the packet data, possibly
leading to misinterpretation. (Have a look if you have any indications
such as IP checksum errors.) 

You may want to look at router or switch tables to verify the validity
of the IP  or MAC addresses (at least as far as the network equipment is
concerned). If the packets are crossing a router interface, the
destination IP address needs to make sense, and be directed by the
routing tables (even if it is the default route).

Of course it might be possible that someone is spoofing packets, (from
the Internet?) for whatever reason, and it might that your boundary
routers aren't configured in a way to reject those packets.

Is it possible to send a capture file with one or two captured packets?

Martin

Martin Visser ,CISSP
Network and Security Consultant 
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 
Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com



-----Original Message-----
From: Lambrecht Joris [mailto:joris.lambrecht@xxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, 3 June 2003 1:11 AM
To: 'ethereal-users@xxxxxxxxxxxx'
Subject: [Ethereal-users] Possible Protocol Mismatch


Hi,

// I AM NOT ON THIS LIST, PLEASE REPLY TO ALL . . .

I'm a newbie to Network Analyses and also a newbie to the network i'm
on, i am currently looking into some stranger issue wich need
clarification.

There is a reccuring Zebra Protocol Capture wich is not supposed to
occure, as far as i know there might be a Zebra-Router on the network
but the src.dest.adresses involved do not return anything close to the
routers i know wich are in the network. I even checked the workstation
involved with reply-ing "Zebra Response",  there is no such software
running on that workstation. 

I figured out most of the traffic on this network/subnet but cannot
pinpoint the validity of the Zebra Protocol. Did anyone ever encounter a
similar situation in wich packets could have been mistaken for a known
protocol ? It's pretty far off, i realise, and there's still the chance
of a Zebra-router being out there somewhere but this would have shown
different ip adresses, not ?


Any help would be welcome.


Kind regards,

Joris


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users