Wireshark · Ethereal-users: RE: [Ethereal-users] Possible Protocol Mismatch

[Lambrecht Joris <joris.lambrecht@xxxxxxxxxxxxxxxxxxxxxxx>]

>-----Original Message-----
>From: Visser, Martin (Sydney) [mailto:martin.visser@xxxxxx]
>Sent: woensdag 4 juni 2003 06:00
>To: Lambrecht Joris; ethereal-users@xxxxxxxxxxxx
>Subject: RE: [Ethereal-users] Possible Protocol Mismatch
>
>
>Joris,
> 
>It sounds like you are making some progress (at least from 
>your response to Martin Regner's mail).

I'm pretty confident i'll be able to resolve the outstanding issues.

>Be certain that you view Ethereal as a diagnostics tool (with 
>all it's limitations) and not expecting it to give you a final 
>solution. Just as a medical X-ray requires interpretation by 
>an experienced radiologist or surgeon, Ethereal can reveal 
>much about a network, but requires a fair bit of expertise, 
>that goes beyond just being able to launch a packet capture. 
> 

I understand, i've been out-of-the-sector for more than a year so i've
become pretty (c)rusty.

>While I understand your frustration at not having the whole 
>picture, it is probably important to understand the network 
>topology in order to solve your problem. (If I am doing this 
>typeof analysis,I always try to have a good physical and 
>logical understanding of the network before I even start).

Well, the topology i've been mapping myself even giving some extra feedback
to existing knowledge, so they're probably happy enough.

>For instance if you can determine the source MAC and IP 
>address of the frames in question, which Ethereal should give 
>you, you must be able to physically determine where they came 
>from. Either you need to get access the routing/switch tables 
>in your equipment, or arrange some downtime on the network and 
>"divide and conquer" to isolate the source. Now that Ethereal 
>has indentified some issues, you really need to use more 
>fundamental techniques to solve your problem. 
> 

No problem, that much i know. The issues are mostly about performance
degradation etc., reconfiguring the Netbios-Node-type did quite a lot
allready. Basically i've been using Ethereal to figure out if there were
rogue 'browser', pdc's, bdc's etc. on this network wich would have been easy
enough to detect given the set-up i've been given.

>Also, be a little careful with your comments - "Although 
>identifying a protocol simply by port-assignment seems
>pretty lame to me, certainly not what i would expect from a 
>project like
>Ethereal wich counts quite a lot of contributors." .

Oh well, i have to keep up to my (king-of-the-jungle) name-and-fame on
unfounded postings. Though i simply wanted to point out my confusion with
the port-protocol relation within Ethereal and how this affected the results
i saw. This confusion is not over by the way, for some reason there are no
more ZEBRA packets in the capture anymore. Didn't change a thing. I still
have to view the capture from last evening but i'd be surprised.

> Someone 
>might give you a job! (Please remember that the work on 
>Ethereal is done as a community effort, the individual 
>contributions usually are to meet a personal need, yet improve 
>the quality of the whole).

Well, i'm probably out of a job within a month or so, so ... :-))

> As Martin R. said, the heuristics 
>of determining how to decode a particular frame is not always 
>straight forward. It could well be that there are some issues 
>with how "smart" Ethereal is. Even if you can't cut code, I'm 
>sure constructive architectural suggestions are always welcome.
> 

Hmmm, this sounds to good to be true, i might just keep this in mind should
i come up with something good.

>Regards, Martin
> 
> 
> 


Greetings from a once again partly sunny Belgium,

Joris

>-----Original Message----- 
>From: Lambrecht Joris [mailto:joris.lambrecht@xxxxxxxxxxxxxxxxxxxxxxx] 
>Sent: Tue 3/06/2003 6:21 PM 
>To: ethereal-users@xxxxxxxxxxxx 
>Cc: 
>Subject: RE: [Ethereal-users] Possible Protocol Mismatch
>
>
>
>
>
>	>-----Original Message-----
>	>From: Visser, Martin (Sydney) [mailto:martin.visser@xxxxxx]
>	>Sent: dinsdag 3 juni 2003 04:08
>	>To: Lambrecht Joris; ethereal-users@xxxxxxxxxxxx
>	>Subject: RE: [Ethereal-users] Possible Protocol Mismatch
>	>
>	>
>	>The choice of protocol decode is based on the best-available
>	>information
>	>in the PDU headers,working down the tree so to speak. If the IP
>	>addresses are unknown to you, it is possible that you have
>	>some physical
>	>issue on the network which is corrupting the packet 
>data, possibly
>	>leading to misinterpretation. (Have a look if you have 
>any indications
>	>such as IP checksum errors.)
>	>
>	
>	Thus i assume Protocol decoding is linear and will not 
>revert to a
>	not-so-close-match after failing the first match ? That 
>is probably what's
>	happening. Although identifying a protocol simply by 
>port-assignment seems
>	pretty lame to me, certainly not what i would expect 
>from a project like
>	Ethereal wich counts quite a lot of contributors.
>	
>	There is some kind of corruption on this network but, 
>for now, i assume it's
>	only of the windows-networking-kind. 'Malformed Browser 
>Requests' are quite
>	frequent yet not triumphant.
>	
>	The IP adresses are not unknown but the services they 
>seem to be supplying
>	are suspicious when taking a strict look. I am not performing a
>	network-security audit just yet, given the fact that 
>nearly every registered
>	port is used by some trojan i'm still holding back from 
>screaming Trojan!
>	although at times this seemed a more welcome approach.
>	
>	>You may want to look at router or switch tables to 
>verify the validity
>	>of the IP  or MAC addresses (at least as far as the network
>	>equipment is
>	>concerned).
>	
>	That is a very welcome suggestion wich could eliminate 
>a lot of uncertainty
>	about the 'origin' of the suspect traffic.
>	
>	>If the packets are crossing a router interface, the
>	>destination IP address needs to make sense, and be 
>directed by the
>	>routing tables (even if it is the default route).
>	>
>	
>	The setup of this network is not what one would call 
>admirable, mostly
>	because of a lack of documentation and common sense but 
>it's still playing
>	by the rules so i am not too worried either. On top of 
>that the router is
>	managed by 'the other office', who are not keen on 
>letting us near to it or
>	give us some limited access to it. I've sniffed the IOS 
>version but that's
>	about it.
>	
>	>Of course it might be possible that someone is 
>spoofing packets, (from
>	>the Internet?) for whatever reason, and it might that 
>your boundary
>	>routers aren't configured in a way to reject those packets.
>	>
>	
>	There are firewalls in place wich seem to be well 
>configured up to now, i've
>	not yet seen any logs but these are available.
>	
>	>Is it possible to send a capture file with one or two 
>captured packets?
>	
>	I will do so later, could you by any chance provide me 
>with an URL where i
>	could look up the PDU header information for a protocol ?
>	
>	>
>	>Martin
>	>
>	>Martin Visser ,CISSP
>	>Network and Security Consultant
>	>Technology & Infrastructure - Consulting & Integration
>	>HP Services
>	>
>	>3 Richardson Place
>	>North Ryde, Sydney NSW 2113, Australia
>	>Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
>	>   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com
>	>
>	>
>	>
>	
>	Regards,
>	
>	Joris
>	
>	>-----Original Message-----
>	>From: Lambrecht Joris 
[mailto:joris.lambrecht@xxxxxxxxxxxxxxxxxxxxxxx]
	>Sent: Tuesday, 3 June 2003 1:11 AM
	>To: 'ethereal-users@xxxxxxxxxxxx'
	>Subject: [Ethereal-users] Possible Protocol Mismatch
	>
	>
	>Hi,
	>
	>// I AM NOT ON THIS LIST, PLEASE REPLY TO ALL . . .
	>
	>I'm a newbie to Network Analyses and also a newbie to the network
i'm
	>on, i am currently looking into some stranger issue wich need
	>clarification.
	>
	>There is a reccuring Zebra Protocol Capture wich is not supposed to
	>occure, as far as i know there might be a Zebra-Router on the
network
	>but the src.dest.adresses involved do not return anything close to
the
	>routers i know wich are in the network. I even checked the
workstation
	>involved with reply-ing "Zebra Response",  there is no such
software
	>running on that workstation.
	>
	>I figured out most of the traffic on this network/subnet but cannot
	>pinpoint the validity of the Zebra Protocol. Did anyone ever
	>encounter a
	>similar situation in wich packets could have been mistaken for a
known
	>protocol ? It's pretty far off, i realise, and there's still the
chance
	>of a Zebra-router being out there somewhere but this would have
shown
	>different ip adresses, not ?
	>
	>
	>Any help would be welcome.
	>
	>
	>Kind regards,
	>
	>Joris
	>
	>
	>_______________________________________________
	>Ethereal-users mailing list
	>Ethereal-users@xxxxxxxxxxxx
	>http://www.ethereal.com/mailman/listinfo/ethereal-users
	>
	
	_______________________________________________
	Ethereal-users mailing list
	Ethereal-users@xxxxxxxxxxxx
	http://www.ethereal.com/mailman/listinfo/ethereal-users