Ethereal-users: Re: [Ethereal-users] Sniffing for Viruses

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Urwin <richard@xxxxxxxxxxxxxxx>
Date: Tue, 4 Nov 2003 11:01:29 +0000
On Tuesday 04 Nov 2003 5:46 am, Nick Marques wrote:
> Hey can I use Ethereal to sniff for virus traffic on a network?? I can
> currently using the succession of ARP Requests from the same host to
> consecutive IPs as an indication of RPC works like Welchia. Is this method
> fool-proof.. what else might send out packets like that?? I ask because I
> am still seeing these packets on a system I know was patched and cleaned
> out.

No well-written network app. should send ARPs to succesive addresses at 
maximum rate, like the Welchia traffic I have seen.

I know of no network app. that needs to send out ARPs to successive addresses 
at all. Windows seems to send out the unnecessary ARP packets to well defined 
addresses, but nowhere near the same rate. Some network stacks send out ARPs 
for their own address as a way to check for duplicate IPs, but only once a 
minute at maximum.

> What are some other filters I can use for virus traffic??
SMTP traffic is probably a good indication for many of the modern worms. 
Especially on a network that runs Exchange.

-- 
Richard Urwin