Yes. :o) I have not heard of ethereal being able to pick up packets that netmon can't. Have you positive experience of this or is it theory? I have seen some pretty hokey packets in netmon.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 07, 2003 8:50 PM To: [EMAIL PROTECTED] Joe, If the NIC can't get into promiscuous mode, won't it ignore packets that are *not* addressed to it? IOW, a packet comes in for another machine. It notes that the packet came in (via the stats at the In - Out [which, I question to some degree anyway]) but it's not for me. Because I'm not in promiscuous mode, I don't (can't) copy it, so I drop it. Because it wasn't copied, it's not passed to the NetMon shim. However, a packet the *IS* addressed to me shows up and is passed up the stack and is read as well by the NetMon shim. This one shows up in the trace buffer. Also, isn't it possible that the packets that are showing up at Justin's system corrupted. NetMon may or may not deal with it properly (can't answer that one, honestly).. Ethereal, does, however present even the corrupt packets with some ability to determine what might be the problem. The Pcap module does seem to be a bit ahead of the shim that NetMon uses. Yes, I know - but if the packets show up in the in-out counter on Justin's system, but no one else's - they must be destined for his system. Heck, I dunno. Me, I'm just one of the team here, and I'm counting on my supporting cast. Rick can't do everything.... (to paraphrase the football commercial.....) ;p Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Tuesday, October 07, 2003 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT Received Packets Shouldn't need to NETMON will see everything Ethereal will. If the traffic is hitting that NIC, it should be visible in NETMON unless the NIC can't go into promiscious mode. Even still, anything addressed to that machine should be visible. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Tuesday, October 07, 2003 4:55 PM To: [EMAIL PROTECTED] Salandra, Justin A. wrote: > I am watching my interface in netmon and there is nothing coming up. > I see other traffic on the network. You could install Ethereal (http://www.ethereal.com) which will capture and analyze individual packets. That would answer the question once and for all, since you'd be able to see details of every single packet. At the rate you're gathering incomming packets, you should only need a few seconds worth of capture to find out where it's coming from. > > -----Original Message----- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Monday, October 06, 2003 10:36 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT Received Packets > > > I would guess that it is probably mostly ARP's and other broadcasts. I > would say whomever mentioned the viruses is probably accurate, but > open that up to all of the broadcast and searching viruses like mumu > and code red and nimda and ... And ... And ... And ... > > Whatever traffic it is though, it should be readily available in > netmon unless the wrong interface is being watched. > > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Monday, October 06, 2003 2:35 PM > To: '[EMAIL PROTECTED]' > > My first thought it might be machine policy, but it sounds like the > traffic is fairly continuous, as opposed to just after boot. > > Are you running any p2p software? > > -g > > > -----Original Message----- > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > Sent: Monday, October 06, 2003 10:47 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT Received Packets > > > Netmon is gathering traffic but not showing all the packets that I am > receiving. > > I am finding these numbers by going into Network and clicking on the > status of my network connection. Right now I have 29,000 packets > received and 5,000 sent and my laptop has been on for an hour. > > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > Sent: Monday, October 06, 2003 1:26 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT Received Packets > > "I have run network monitor and can not find what the traffic is that > I am receiving." > > Meaning that NETMON is not showing any traffic? Or that NETMON can't > identify the traffic? > > How are you determining that you are actually receiving this traffic? > PERFMON? > > -gil > > > -----Original Message----- > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > Sent: Monday, October 06, 2003 5:39 AM > To: ActiveDir (E-mail) > Subject: [ActiveDir] OT Received Packets > > > This a little off topic, but I have to ask. My Laptop within minutes > of being turned on receives over 7,000 packets and sends only 300 or > so. In 15 minutes I will have over 30,000 received packets. My > computer is the only one this is happening too. > > I have run network monitor and can not find what the traffic is that > I am receiving. I have run a antivirus scan on my computer with > updated DAT files and found nothing. I have looked at my services and > did not find anything different. > > This only happens on my work network, not at home. Does anyone have > any ideas? > > Justin A. Salandra, MCSE > Senior Network Engineer > Catholic Healthcare System > 212.752.7300 - office > 917.455.0110 - cell > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
