Ethereal-users: RE: [Ethereal-users] sniffing for welchia

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Jon Waller" <jwaller@xxxxxxxxxxxxxxxxx>
Date: Thu, 8 Jan 2004 18:58:41 -0500
I have been fighting the Welchia battle for months. Ethereal is a vital
part of this task. Before you can use Ethereal to capture the offending
packets you have to make sure that the "bait" machine is on a hub along
with your scanning system or that the scanning system is connected on a
monitoring port that is receiving copies of all network packets.

The filtering that I am using is based on the ICMP traffic. The filter
is: icmp && icmp[0] = 8 && ip[40:4] = 0xaaaaaaaa

This filter only looks at the actual ping portion of the communication.
The IP information provided is based on the signature of the Welchia
ping packet containing all 'a' values in the data portion.

Hope this information helps.

Jon

-----Original Message-----
From: Bert Wilder Jr. [mailto:bertwilder@xxxxxxxxx] 
Sent: Thursday, January 08, 2004 6:17 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] sniffing for welchia

I'm trying to find Welchia on our network...I have
recently downloaded the Ethereal software and scanning
for:  tcp port 135 and host x.x.x.x (The host being a
new computer on the network that doesn't have the
patch installed).  Theoretically, I can use this
filter and wait for this computer to get the Welchia
virus...At tha poing, after running the Welchia
removal tool and verifying that the machine did in
fact get Welchia, I can check the sniffer and see what
ip addresses on our network were communicating with
the tcp port 135 on this machine.  Well, this doesn't
appear to be working...I have been sniffing the
network and this machine using filters like:  icmp and
host x.x.x.x, tcp port 135 and so forth...The machine
is getting infected with Welchia, but no information
is given from Ethereal...I guess I could just scan the
entire network traffice with no filter, but that would
be painstaking to go back through all of the
communication and look for that machine...Anybody have
any ideas?  We have patched every machine on the
network as well as running the removal tool, I
believe...We also have the Symantec Corporate
Antivirus on all the machines as well...There is
probably on machine out there that is getting infected
that we missed...Thanks in advance for any support you
can give...Thanks!

Bert


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users