Ethereal-users: RE: [Ethereal-users] sniffing for welchia

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Urwin <RUrwin@xxxxxxxxxxxxxx>
Date: Thu, 8 Jan 2004 16:44:25 -0000 
> >>> "Bert Wilder Jr." <bertwilder@xxxxxxxxx> 01/08/04 09:17AM >>>
> I'm trying to find Welchia on our network...I have
> recently downloaded the Ethereal software and scanning
> for:  tcp port 135 and host x.x.x.x (The host being a
> new computer on the network that doesn't have the
> patch installed).  Theoretically, I can use this
> filter and wait for this computer to get the Welchia
> virus...At tha poing, after running the Welchia
> removal tool and verifying that the machine did in
> fact get Welchia, I can check the sniffer and see what
> ip addresses on our network were communicating with
> the tcp port 135 on this machine.  Well, this doesn't
> appear to be working...I have been sniffing the
> network and this machine using filters like:  icmp and
> host x.x.x.x, tcp port 135 and so forth...The machine
> is getting infected with Welchia, but no information
> is given from Ethereal...I guess I could just scan the
> entire network traffice with no filter, but that would
> be painstaking to go back through all of the
> communication and look for that machine...Anybody have
> any ideas?  We have patched every machine on the
> network as well as running the removal tool, I
> believe...We also have the Symantec Corporate
> Antivirus on all the machines as well...There is
> probably on machine out there that is getting infected
> that we missed...Thanks in advance for any support you
> can give...Thanks!

Running Ethereal on the machine that gets infected is probably a good idea.
Then you don't need to run in promiscuous mode, and the traffic thoughput
will be much smaller.

-- 
Richard Urwin, Software Design Engineer
Schenck Test Automation
Braemar Court, 1311b Melton Road, Syston, UK.
rurwin@xxxxxxxxxxxxxx

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________