Hello Martin,
I've managed to decode the packets by selecting 'TCP Stream', this seems to
be the same type of content as a TDS wich has been decoded without any
problem. I must confess this is pretty confusing.
Why are packets with the same source:destination port decoded differently ?
I'm pretty sure they are served by an application wich is legitimate but
because of the 'creative' way the network has been set up i had been
suspecting a trojan allready. Without any clue on how to make really sure
this is not the case.
I'm about to try the AW Ports traffic Analyser to rule out the 60% of doubt
about trojans.
Kind Regards,
Joris
>-----Original Message-----
>From: martin.regner@xxxxxxxxx [mailto:martin.regner@xxxxxxxxx]
>Sent: maandag 2 juni 2003 17:47
>To: Lambrecht Joris
>Subject: Re: [Ethereal-users] Possible Protocol Mismatch
>
>
>
>> There is a reccuring Zebra Protocol Capture wich is not
>supposed to occure,
>> as far as i know there might be a Zebra-Router on the network but the
>> src.dest.adresses involved do not return anything close to
>the routers i
>> know wich are in the network. I even checked the workstation
>involved with
>> reply-ing "Zebra Response", there is no such software
>running on that
>> workstation.
>
>
>Ethereal will think that packets sent to or from tcp port 2600 i
>Zebra protocol.
>
>But actually according to IANA there seems to be HP protocol
>that are using that port number. I don't know what HPSTGMGR
>is. Might be possible to find something with Google.
>
>hpstgmgr 2600/tcp HPSTGMGR
>hpstgmgr 2600/udp HPSTGMGR
># Kevin Collins <kevinc@xxxxxxxxxxx>
>
>Then there seems to be a trojan that uses the same port:
>http://www.tigertools.net/trojans.txt
>
>
