[Snort-users] Re: [Ethereal-users] Unknow packet

Corne van Strien strien at ...4609...
Thu Jan 17 04:12:05 EST 2002


Hi,

Regarding:

> > I have been experimenting with writing a sniffer in Perl.  While
> > testing the
> > script I received the packet below.  The ScrMac is of my layer3 switch
> > and I
> > do not know the DestMAC.  This has me worried.  I have tried Analyzer,
> > Ethereal, Optimal, and Tcpdump but they drop the packet for some reason
> > (this is an assumption; I never see the packet in their output).  Any
> > insight would be great.
> >
> >
> > ScrMAC: 000628a08e07 DestMAC: 01000ccccccc
> > Data:
>
> It doesn't appear to be dangerous.  The destination address,
> "01000ccccccc", is a multicast address belonging to Cisco.  I would
> guess it is something like a "Hey, cisco routers, anyone else here" or
> "Hey, I'm a cisco routers; what's up" kind of message.
>
> You could check out your cisco routers and verify that one of them is
> the sender.
>

This is from the Cisco Discovery Protocol: a protocol used by Cisco
equipment for discovering other cisco equipment and build a table containing
all neighboring Cisco equipment. CDP is sometimes used by some Network
management programs like CiscoWorks, it is also used for troubleshooting.

In IOS based components you can typically disable this using: "no cdp
enable" on a specific interface, or "no cdp run" to disable CDP completely.
For other systems you might have to walk through some menu from the console
(or telnet). CDP is enabled on Cisco routers by default.

In IOS based Cisco devices ou can see neighboring Cisco devices using "show
cdp neighbors".

There are some security issues with CDP. see:
http://www.cisco.com/warp/public/707/cdp_issue.shtml

See also
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
t/120t3/cdpadds.htm
for detailed information about CDP
See also: http://nsa1.www.conxion.com/cisco/index.html
For detailed instructions for safely configuring Cisco routers.


    Kind Regards,

    Corne van Strien, CCNA

> Regards,
>
> Justin
>
> >           00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F
> > 0123456789ABCDEF
> >
> > 00000000  01 00 0C CC CC CC 00 06 - 28 A0 8E 07 01 45 AA AA
> > ........(....E..
> > 00000010  03 00 00 0C 20 00 01 B4 - 7F 49 00 01 00 19 4D 61  ....
> > ....I....Ma
> > 00000020  69 6E 53 77 69 74 63 68 - 2E 63 68 63 73 69 69 2E
> > inSwitch.chcsii.
> > 00000030  63 6F 6D 00 02 00 11 00 - 00 00 01 01 01 CC 00 04
> > com.............
> > 00000040  C0 BE 01 01 00 03 00 11 - 46 61 73 74 45 74 68 65
> > ........FastEthe
> > 00000050  72 6E 65 74 31 00 04 00 - 08 00 00 00 03 00 05 00
> > rnet1...........
> > 00000060  E4 43 69 73 63 6F 20 49 - 6E 74 65 72 6E 65 74 77  .Cisco
> > Internetw
> > 00000070  6F 72 6B 20 4F 70 65 72 - 61 74 69 6E 67 20 53 79  ork
> > Operating
> > Sy
> > 00000080  73 74 65 6D 20 53 6F 66 - 74 77 61 72 65 20 0A 49  stem
> > Software
> > .I
> > 00000090  4F 53 20 28 74 6D 29 20 - 4C 33 20 53 77 69 74 63  OS (tm) L3
> > Switc
> > 000000A0  68 2F 52 6F 75 74 65 72 - 20 53 6F 66 74 77 61 72  h/Router
> > Softwar
> > 000000B0  65 20 28 43 41 54 32 39 - 34 38 47 2D 49 4E 2D 4D  e
> > (CAT2948G-IN-M
> > 000000C0  29 2C 20 56 65 72 73 69 - 6F 6E 20 31 32 2E 30 28  ), Version
> > 12.0(
> > 000000D0  37 29 57 35 28 31 35 64 - 29 20 20 52 45 4C 45 41  7)W5(15d)
> > RELEA
> > 000000E0  53 45 20 53 4F 46 54 57 - 41 52 45 20 0A 43 6F 70  SE SOFTWARE
> > .Cop
> > 000000F0  79 72 69 67 68 74 20 28 - 63 29 20 31 39 38 36 2D  yright (c)
> > 1986-
> > 00000100  32 30 30 30 20 62 79 20 - 63 69 73 63 6F 20 53 79  2000 by
> > cisco
> > Sy
> > 00000110  73 74 65 6D 73 2C 20 49 - 6E 63 2E 0A 43 6F 6D 70  stems,
> > Inc..Comp
> > 00000120  69 6C 65 64 20 4D 6F 6E - 20 30 35 2D 4A 75 6E 2D  iled Mon
> > 05-Jun-
> > 00000130  30 30 20 31 36 3A 31 36 - 20 62 79 20 69 6E 74 65  00 16:16 by
> > inte
> > 00000140  67 00 06 00 12 63 69 73 - 63 6F 20 43 61 74 32 39  g....cisco
> > Cat29
> > 00000150  34 38 47                                           48G
> >
> >
> > thanks
> >
> > Jay Flowers
> > Integic Health Care
> >
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users at ...4600...
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
> --
> Justin C. Walker, Curmudgeon-At-Large  *
> Institute for General Semantics        |   When LuteFisk is outlawed
>                                         |   Only outlaws will have
>                                         |       LuteFisk
> *--------------------------------------*-------------------------------*
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list