[Snort-users] Re: [Ethereal-users] Unknow packet

Justin C. Walker justin at ...3027...
Wed Jan 16 16:15:02 EST 2002


On Wednesday, January 16, 2002, at 02:26 PM, Flowers, Jay wrote:

> I have been experimenting with writing a sniffer in Perl.  While 
> testing the
> script I received the packet below.  The ScrMac is of my layer3 switch 
> and I
> do not know the DestMAC.  This has me worried.  I have tried Analyzer,
> Ethereal, Optimal, and Tcpdump but they drop the packet for some reason
> (this is an assumption; I never see the packet in their output).  Any
> insight would be great.
>
>
> ScrMAC: 000628a08e07 DestMAC: 01000ccccccc
> Data:

It doesn't appear to be dangerous.  The destination address, 
"01000ccccccc", is a multicast address belonging to Cisco.  I would 
guess it is something like a "Hey, cisco routers, anyone else here" or 
"Hey, I'm a cisco routers; what's up" kind of message.

You could check out your cisco routers and verify that one of them is 
the sender.

Regards,

Justin

>           00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F
> 0123456789ABCDEF
>
> 00000000  01 00 0C CC CC CC 00 06 - 28 A0 8E 07 01 45 AA AA
> ........(....E..
> 00000010  03 00 00 0C 20 00 01 B4 - 7F 49 00 01 00 19 4D 61  ....
> ....I....Ma
> 00000020  69 6E 53 77 69 74 63 68 - 2E 63 68 63 73 69 69 2E
> inSwitch.chcsii.
> 00000030  63 6F 6D 00 02 00 11 00 - 00 00 01 01 01 CC 00 04
> com.............
> 00000040  C0 BE 01 01 00 03 00 11 - 46 61 73 74 45 74 68 65
> ........FastEthe
> 00000050  72 6E 65 74 31 00 04 00 - 08 00 00 00 03 00 05 00
> rnet1...........
> 00000060  E4 43 69 73 63 6F 20 49 - 6E 74 65 72 6E 65 74 77  .Cisco
> Internetw
> 00000070  6F 72 6B 20 4F 70 65 72 - 61 74 69 6E 67 20 53 79  ork 
> Operating
> Sy
> 00000080  73 74 65 6D 20 53 6F 66 - 74 77 61 72 65 20 0A 49  stem 
> Software
> .I
> 00000090  4F 53 20 28 74 6D 29 20 - 4C 33 20 53 77 69 74 63  OS (tm) L3
> Switc
> 000000A0  68 2F 52 6F 75 74 65 72 - 20 53 6F 66 74 77 61 72  h/Router
> Softwar
> 000000B0  65 20 28 43 41 54 32 39 - 34 38 47 2D 49 4E 2D 4D  e
> (CAT2948G-IN-M
> 000000C0  29 2C 20 56 65 72 73 69 - 6F 6E 20 31 32 2E 30 28  ), Version
> 12.0(
> 000000D0  37 29 57 35 28 31 35 64 - 29 20 20 52 45 4C 45 41  7)W5(15d)
> RELEA
> 000000E0  53 45 20 53 4F 46 54 57 - 41 52 45 20 0A 43 6F 70  SE SOFTWARE
> .Cop
> 000000F0  79 72 69 67 68 74 20 28 - 63 29 20 31 39 38 36 2D  yright (c)
> 1986-
> 00000100  32 30 30 30 20 62 79 20 - 63 69 73 63 6F 20 53 79  2000 by 
> cisco
> Sy
> 00000110  73 74 65 6D 73 2C 20 49 - 6E 63 2E 0A 43 6F 6D 70  stems,
> Inc..Comp
> 00000120  69 6C 65 64 20 4D 6F 6E - 20 30 35 2D 4A 75 6E 2D  iled Mon
> 05-Jun-
> 00000130  30 30 20 31 36 3A 31 36 - 20 62 79 20 69 6E 74 65  00 16:16 by
> inte
> 00000140  67 00 06 00 12 63 69 73 - 63 6F 20 43 61 74 32 39  g....cisco
> Cat29
> 00000150  34 38 47                                           48G
>
>
> thanks
>
> Jay Flowers
> Integic Health Care
>
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users at ...4600...
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
--
Justin C. Walker, Curmudgeon-At-Large  *
Institute for General Semantics        |   When LuteFisk is outlawed
                                        |   Only outlaws will have
                                        |       LuteFisk
*--------------------------------------*-------------------------------*





More information about the Snort-users mailing list