Ethereal-users: RE: [Ethereal-users] Possible Protocol Mismatch

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Tue, 3 Jun 2003 10:21:04 +0200

>-----Original Message-----
>From: Visser, Martin (Sydney) [mailto:martin.visser@xxxxxx]
>Sent: dinsdag 3 juni 2003 04:08
>To: Lambrecht Joris; ethereal-users@xxxxxxxxxxxx
>Subject: RE: [Ethereal-users] Possible Protocol Mismatch
>
>
>The choice of protocol decode is based on the best-available 
>information
>in the PDU headers,working down the tree so to speak. If the IP
>addresses are unknown to you, it is possible that you have 
>some physical
>issue on the network which is corrupting the packet data, possibly
>leading to misinterpretation. (Have a look if you have any indications
>such as IP checksum errors.) 
>

Thus i assume Protocol decoding is linear and will not revert to a
not-so-close-match after failing the first match ? That is probably what's
happening. Although identifying a protocol simply by port-assignment seems
pretty lame to me, certainly not what i would expect from a project like
Ethereal wich counts quite a lot of contributors.

There is some kind of corruption on this network but, for now, i assume it's
only of the windows-networking-kind. 'Malformed Browser Requests' are quite
frequent yet not triumphant.

The IP adresses are not unknown but the services they seem to be supplying
are suspicious when taking a strict look. I am not performing a
network-security audit just yet, given the fact that nearly every registered
port is used by some trojan i'm still holding back from screaming Trojan!
although at times this seemed a more welcome approach.

>You may want to look at router or switch tables to verify the validity
>of the IP  or MAC addresses (at least as far as the network 
>equipment is
>concerned). 

That is a very welcome suggestion wich could eliminate a lot of uncertainty
about the 'origin' of the suspect traffic.

>If the packets are crossing a router interface, the
>destination IP address needs to make sense, and be directed by the
>routing tables (even if it is the default route).
>

The setup of this network is not what one would call admirable, mostly
because of a lack of documentation and common sense but it's still playing
by the rules so i am not too worried either. On top of that the router is
managed by 'the other office', who are not keen on letting us near to it or
give us some limited access to it. I've sniffed the IOS version but that's
about it.

>Of course it might be possible that someone is spoofing packets, (from
>the Internet?) for whatever reason, and it might that your boundary
>routers aren't configured in a way to reject those packets.
>

There are firewalls in place wich seem to be well configured up to now, i've
not yet seen any logs but these are available.

>Is it possible to send a capture file with one or two captured packets?

I will do so later, could you by any chance provide me with an URL where i
could look up the PDU header information for a protocol ?

>
>Martin
>
>Martin Visser ,CISSP
>Network and Security Consultant 
>Technology & Infrastructure - Consulting & Integration
>HP Services
>
>3 Richardson Place 
>North Ryde, Sydney NSW 2113, Australia 
>Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
>   Fax 7: +61-2-9022-1800     E-mail * : martin.visserAThp.com
>
>
>

Regards,

Joris

>-----Original Message-----
>From: Lambrecht Joris [mailto:joris.lambrecht@xxxxxxxxxxxxxxxxxxxxxxx] 
>Sent: Tuesday, 3 June 2003 1:11 AM
>To: 'ethereal-users@xxxxxxxxxxxx'
>Subject: [Ethereal-users] Possible Protocol Mismatch
>
>
>Hi,
>
>// I AM NOT ON THIS LIST, PLEASE REPLY TO ALL . . .
>
>I'm a newbie to Network Analyses and also a newbie to the network i'm
>on, i am currently looking into some stranger issue wich need
>clarification.
>
>There is a reccuring Zebra Protocol Capture wich is not supposed to
>occure, as far as i know there might be a Zebra-Router on the network
>but the src.dest.adresses involved do not return anything close to the
>routers i know wich are in the network. I even checked the workstation
>involved with reply-ing "Zebra Response",  there is no such software
>running on that workstation. 
>
>I figured out most of the traffic on this network/subnet but cannot
>pinpoint the validity of the Zebra Protocol. Did anyone ever 
>encounter a
>similar situation in wich packets could have been mistaken for a known
>protocol ? It's pretty far off, i realise, and there's still the chance
>of a Zebra-router being out there somewhere but this would have shown
>different ip adresses, not ?
>
>
>Any help would be welcome.
>
>
>Kind regards,
>
>Joris
>
>
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users
>