Ethereal-users: RE: [Ethereal-users] Possible Protocol Mismatch

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Visser, Martin (Sydney)" <martin.visser@xxxxxx>
Date: Wed, 4 Jun 2003 13:59:50 +1000
Joris,
 
It sounds like you are making some progress (at least from your response to Martin Regner's mail).
Be certain that you view Ethereal as a diagnostics tool (with all it's limitations) and not expecting it to give you a final solution. Just as a medical X-ray requires interpretation by an experienced radiologist or surgeon, Ethereal can reveal much about a network, but requires a fair bit of expertise, that goes beyond just being able to launch a packet capture. 
 
While I understand your frustration at not having the whole picture, it is probably important to understand the network topology in order to solve your problem. (If I am doing this typeof analysis,I always try to have a good physical and logical understanding of the network before I even start).
For instance if you can determine the source MAC and IP address of the frames in question, which Ethereal should give you, you must be able to physically determine where they came from. Either you need to get access the routing/switch tables in your equipment, or arrange some downtime on the network and "divide and conquer" to isolate the source. Now that Ethereal has indentified some issues, you really need to use more fundamental techniques to solve your problem. 
 
Also, be a little careful with your comments - "Although identifying a protocol simply by port-assignment seems
pretty lame to me, certainly not what i would expect from a project like
Ethereal wich counts quite a lot of contributors." . Someone might give you a job! (Please remember that the work on Ethereal is done as a community effort, the individual contributions usually are to meet a personal need, yet improve the quality of the whole). As Martin R. said, the heuristics of determining how to decode a particular frame is not always straight forward. It could well be that there are some issues with how "smart" Ethereal is. Even if you can't cut code, I'm sure constructive architectural suggestions are always welcome.
 
Regards, Martin
 
 
 
-----Original Message----- 
From: Lambrecht Joris [mailto:joris.lambrecht@xxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Tue 3/06/2003 6:21 PM 
To: ethereal-users@xxxxxxxxxxxx 
Cc: 
Subject: RE: [Ethereal-users] Possible Protocol Mismatch





	>-----Original Message-----
	>From: Visser, Martin (Sydney) [mailto:martin.visser@xxxxxx]
	>Sent: dinsdag 3 juni 2003 04:08
	>To: Lambrecht Joris; ethereal-users@xxxxxxxxxxxx
	>Subject: RE: [Ethereal-users] Possible Protocol Mismatch
	>
	>
	>The choice of protocol decode is based on the best-available
	>information
	>in the PDU headers,working down the tree so to speak. If the IP
	>addresses are unknown to you, it is possible that you have
	>some physical
	>issue on the network which is corrupting the packet data, possibly
	>leading to misinterpretation. (Have a look if you have any indications
	>such as IP checksum errors.)
	>
	
	Thus i assume Protocol decoding is linear and will not revert to a
	not-so-close-match after failing the first match ? That is probably what's
	happening. Although identifying a protocol simply by port-assignment seems
	pretty lame to me, certainly not what i would expect from a project like
	Ethereal wich counts quite a lot of contributors.
	
	There is some kind of corruption on this network but, for now, i assume it's
	only of the windows-networking-kind. 'Malformed Browser Requests' are quite
	frequent yet not triumphant.
	
	The IP adresses are not unknown but the services they seem to be supplying
	are suspicious when taking a strict look. I am not performing a
	network-security audit just yet, given the fact that nearly every registered
	port is used by some trojan i'm still holding back from screaming Trojan!
	although at times this seemed a more welcome approach.
	
	>You may want to look at router or switch tables to verify the validity
	>of the IP  or MAC addresses (at least as far as the network
	>equipment is
	>concerned).
	
	That is a very welcome suggestion wich could eliminate a lot of uncertainty
	about the 'origin' of the suspect traffic.
	
	>If the packets are crossing a router interface, the
	>destination IP address needs to make sense, and be directed by the
	>routing tables (even if it is the default route).
	>
	
	The setup of this network is not what one would call admirable, mostly
	because of a lack of documentation and common sense but it's still playing
	by the rules so i am not too worried either. On top of that the router is
	managed by 'the other office', who are not keen on letting us near to it or
	give us some limited access to it. I've sniffed the IOS version but that's
	about it.
	
	>Of course it might be possible that someone is spoofing packets, (from
	>the Internet?) for whatever reason, and it might that your boundary
	>routers aren't configured in a way to reject those packets.
	>
	
	There are firewalls in place wich seem to be well configured up to now, i've
	not yet seen any logs but these are available.
	
	>Is it possible to send a capture file with one or two captured packets?
	
	I will do so later, could you by any chance provide me with an URL where i
	could look up the PDU header information for a protocol ?
	
	>
	>Martin
	>
	>Martin Visser ,CISSP
	>Network and Security Consultant
	>Technology & Infrastructure - Consulting & Integration
	>HP Services
	>
	>3 Richardson Place
	>North Ryde, Sydney NSW 2113, Australia
	>Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
	>   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com
	>
	>
	>
	
	Regards,
	
	Joris
	
	>-----Original Message-----
	>From: Lambrecht Joris [mailto:joris.lambrecht@xxxxxxxxxxxxxxxxxxxxxxx]
	>Sent: Tuesday, 3 June 2003 1:11 AM
	>To: 'ethereal-users@xxxxxxxxxxxx'
	>Subject: [Ethereal-users] Possible Protocol Mismatch
	>
	>
	>Hi,
	>
	>// I AM NOT ON THIS LIST, PLEASE REPLY TO ALL . . .
	>
	>I'm a newbie to Network Analyses and also a newbie to the network i'm
	>on, i am currently looking into some stranger issue wich need
	>clarification.
	>
	>There is a reccuring Zebra Protocol Capture wich is not supposed to
	>occure, as far as i know there might be a Zebra-Router on the network
	>but the src.dest.adresses involved do not return anything close to the
	>routers i know wich are in the network. I even checked the workstation
	>involved with reply-ing "Zebra Response",  there is no such software
	>running on that workstation.
	>
	>I figured out most of the traffic on this network/subnet but cannot
	>pinpoint the validity of the Zebra Protocol. Did anyone ever
	>encounter a
	>similar situation in wich packets could have been mistaken for a known
	>protocol ? It's pretty far off, i realise, and there's still the chance
	>of a Zebra-router being out there somewhere but this would have shown
	>different ip adresses, not ?
	>
	>
	>Any help would be welcome.
	>
	>
	>Kind regards,
	>
	>Joris
	>
	>
	>_______________________________________________
	>Ethereal-users mailing list
	>Ethereal-users@xxxxxxxxxxxx
	>http://www.ethereal.com/mailman/listinfo/ethereal-users
	>
	
	_______________________________________________
	Ethereal-users mailing list
	Ethereal-users@xxxxxxxxxxxx
	http://www.ethereal.com/mailman/listinfo/ethereal-users