If you have the port that the internal interface of the router is connected to mirrored - yes, you will then be able to sniff all traffic coming from the router off of that interface.
In the situation that you describe, it is complex and convoluted - and sometimes difficult to capture the proper data unless you are using a distributed sniffer with mirrors into each VLAN/PVLAN. However, at the router port, you will capture all incoming traffic the only problem is that it will be like drinking from a fire hose. Lots and lots of data in a very short amount of time. If you knew, to some degree, who the target was, you could sniff on that VLAN and reduce the amount of unnecessary traffic that you will have to wade through. Given that it's a worm, you have an equal likelihood of catching it at any segment. The more interesting question is this: Is it random through e-mail, or is it something that an outbound connection brought in? Are you scanning and limiting WHERE your users can go, and what ports that they can go there on? -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Sunday, December 26, 2004 1:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] worm (very very OT) I see what you mean now, in the first part, but the last paragraph I got confused, why is it a diminished chance to catch it at the switch which has the router? I will tell u my pathatic situation, I have many VLANs, (around 15 for so many different reasons), out of these 15 only one VLAN is accessible for all the other VLANs, and this VLAN has for example the ISA servers (Internal NICs of the ISAs), email servers, MOM , etc... At times we have disaster on the network where huge traffic is passing the router out, at this situation I know I have a worm inside and I can't locate it just as Tom Kern who started the thread, at other times I have huge traffic coming to the network, which also I can't do anything about it, since the ISP says its none of his buisness, and if I apply the ACL at the router the traffic still passed all the way from the ISP to the router and utilized the bandwidth. If I try to trach the IPs of the incoming traffic I usually get some high school in Korea or some other IPs from the far east. anyways back to the topic in the times when I have the worm, if I have the router port at the switch mirrored and sniffed it its still a little chance that I will be able to determine the worm infected PC? So what will be the solution, how will I capture it before reaching the destination (without having to go to every switch on the network) many thanks On Sun, 26 Dec 2004 12:12:26 -0600, Rick Kingslan <[EMAIL PROTECTED]> wrote: > If we're speaking of a hub rather than a switch, you can plug in to > any port and sniff the traffic. A hub runs at the physical layer, > while a switch operates more at the MAC portion of the Data Link of the good old OSI stack. > > A switch is designed to deliver only traffic destined for a specific > port - not to flood all traffic to each port, and let the end devices > (your > computer) figure out what is for it and not. As to what port to > mirror - depends on who the source or destination is. Suppose you > could mirror all of them, but that Sometimes can be done, other times > not. > > But, what Roger is saying is to capture the traffic BEFORE it gets to > the switches. All of your traffic is going to have to go through some > Layer 3 device. Once it gets to the switches, your opportunity to > capture it has just diminished to pure chance. > > Rick Kingslan MCSE, MCSA, MCT, CISSP > Microsoft MVP: > Windows Server / Directory Services > Windows Server / Rights Management > Windows Security (Affiliate) > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > WebLog - www.msmvps.com/willhack4food > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > Sent: Sunday, December 26, 2004 12:07 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] worm (very very OT) > > do I need to mirror a specific port? Which one? > Why can't I connect to any availble port on that switch and sniff the > network? > thanks > rubix > > On Thu, 23 Dec 2004 14:01:51 -0500, Candee Vaglica <[EMAIL PROTECTED]> wrote: > > That's what I meant. > > ;) > > Thanks, Roger. > > > > On Thu, 23 Dec 2004 10:59:56 -0800, Roger Seielstad > > <[EMAIL PROTECTED]> wrote: > > > The way to track this down it so network scan on your egress > > > router's interface. It should be relatively trivial to filter for > > > the traffic based on destination port, and that will give you the > > > MAC address of the sender (that is VERY much harder to spoof - not > > > impossible, but a heck of a lot harder). > > > > > > >From that, you can look at the ARP table of the router and the > > > >MAC address > > > will be there from the *valid* traffic the machine is doing. You > > > can guarantee that by ping sweeping the LAN, just in case. Then > > > you're just matching MAC to MAC and you get the right IP address. > > > > > > Heck, I think there's perl code that will do most of that for you > > > - I know we've got a MAC hunter app at work that does something > > > similar to this to find the name of machines when all we have is a > > > MAC > address. > > > > > > -------- > > > Roger Seielstad > > > E-mail Geek & MS-MVP > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, > > > > Tom > > > > Sent: Thursday, December 23, 2004 8:30 AM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: RE: [ActiveDir] worm (very very OT) > > > > > > > > we're a switched network. i'd have to go to every pc(500) and > > > > run it. i'm trying to avoid that. might as well run netstat -an > > > > on all pc's. > > > > > > > > ethereal won't tell me the real address. > > > > > > > > thanks > > > > > > > > -----Original Message----- > > > > From: Candee Vaglica [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, December 23, 2004 11:16 AM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: Re: [ActiveDir] worm (very very OT) > > > > > > > > > > > > Use a network scanner, like Ethereal to monitor the traffic. > > > > > > > > > > > > On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom > > > > <[EMAIL PROTECTED]> > > > > wrote: > > > > > this is way off and i apologize but you guys are really > > > > knowledgable and such a great help, i thought i'd try here. > > > > > > > > > > i have a number of pc's infected with some wom that goes > > > > out on port 10000 tcp and tries to attemp a DOS attack. > > > > > > > > > > I don't know the worm and a google searched didn't really > > > > turn anything up. > > > > > > > > > > here's the thing. the worm uses a spoofed source address. > > > > my question is, is there anyway to track down a spoofed address > > > > internally to the real address? > > > > > > > > > > I don't know how to find the infected pc's. > > > > > > > > > > thanks > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
