Re: Duplicate packets with same SEQ #'s... [7:53024]
We have a similar situation in our network. We have proxy arp turned on and it is causing the same thing. Neil ""r34rv13wm1rr0r"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This is from a tcpdump off of one of my core switches. It appears that it is > logging a duplicate packet with the same SEQ #. Does any one have any idea > why this is occuring? > > Thanks, > > A > > 11:18:04.688408 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 1:65(64) ack > 49 > win 8320NBT Packet (DF) > 11:18:04.688409 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 1:65(64) ack > 49 > win 8320NBT Packet (DF) > > 11:18:04.688643 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P > 158405518:158405625(107) ack 1210141117 win 8608NBT Packet (DF) > 11:18:04.688644 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P 0:107(107) ack > 1 win 8608NBT Packet (DF) > > 11:18:04.688645 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 65:119(54) ack > 98 win 8271NBT Packet (DF) > 11:18:04.688646 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 65:119(54) ack > 98 win 8271NBT Packet (DF) > > 11:18:04.63 X.X.6.3.http > 172.X.14.50.1123: . ack 4294967295 win 8155 > (DF) > 11:18:04.65 X.X.6.3.http > 172.X.14.50.1123: . ack 4294967295 win 8155 > (DF) > > 11:18:04.66 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P > 3194256684:3194256844(160) ack 95965178 win 7515NBT Packet (DF) > 11:18:04.67 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P 0:160(160) ack > 1 win 7515NBT Packet (DF) > > 11:18:04.68 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 119:173(54) > ack > 147 win 8222NBT Packet (DF) > 11:18:04.69 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 119:173(54) > ack > 147 win 8222NBT Packet (DF) > > 11:18:04.688890 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P 1:161(160) ack > 107 win 7996NBT Packet (DF) > 11:18:04.688891 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P 1:161(160) ack > 107 win 7996NBT Packet (DF) > > 11:18:04.689183 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P 1:129(128) ack > 160 win 8138NBT Packet (DF) > 11:18:04.689185 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P 1:129(128) ack > 160 win 8138NBT Packet (DF) > > 11:18:04.689186 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 173:255(82) > ack > 196 win 8173NBT Packet (DF) > 11:18:04.689187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 173:255(82) > ack > 196 win 8173NBT Packet (DF) > > 11:18:04.689188 172.X.15.151.ssh > 172.X.53.186.1219: P > 2849560709:2849560801(92) ack 2980294350 win 9648 (DF) [tos 0x10] > 11:18:04.689189 172.X.15.151.ssh > 172.X.53.186.1219: P 0:92(92) ack 1 win > 9648 (DF) [tos 0x10] > > 11:18:04.689192 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 255:309(54) > ack > 245 win 8124NBT Packet (DF) > 11:18:04.689193 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 255:309(54) > ack > 245 win 8124NBT Packet (DF) > > 11:18:04.689608 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 309:363(54) > ack > 294 win 8075NBT Packet (DF) > 11:18:04.689609 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 309:363(54) > ack > 294 win 8075NBT Packet (DF) > > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack 4096314569 win > 2144 > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack 1 win 2144 > > 11:18:04.689611 172.X.53.186.1219 > 172.X.15.151.ssh: P 1:45(44) ack 92 win > 16724 (DF) > 11:18:04.689612 172.X.53.186.1219 > 172.X.15.151.ssh: P 1:45(44) ack 92 win > 16724 (DF) > > 11:18:04.689614 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P 294:343(49) > ack > 363 win 7380NBT Packet (DF) [tos 0x4] > 11:18:04.718183 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P 6762:6811(49) > ack 8223 win 8397NBT Packet (DF) [tos 0x4] > > 11:18:04.718187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8223:8287(64) > ack 6811 win 7438NBT Packet (DF) > 11:18:04.718188 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8223:8287(64) > ack 6811 win 7438NBT Packet (DF) > > 11:18:04.718423 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8287:8341(54) > ack 6860 win 7389NBT Packet (DF) > 11:18:04.718424 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8287:8341(54) > ack 6860 win 7389NBT Packet (DF) > > 11:18:04.718425 172.X.240.220.6103 > 172.X.15.68.4720: . 2920:4380(1460) ack > 1 > win 16816 (DF) > 11:18:04.718586 172.X.240.220.6103 > 172.X.15.68.4720: . 4380:5840(1460) ack > 1 > win 16816 (DF) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53059&t=53024 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Weird sniffer issue... [7:22273]
EtherPeek alerts you to a duplicate IP address if it has different MAC address for the same IP address. Could this be an issue with proxy arp on the router? Neil ""McMasters, Eric"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Okay I know that you may be getting sick of my sniffer questions since this > is the second one this week, but I've never seen this before, so here goes. > > I'm using good ole' Etherpeek and while monitoring a network I started > getting duplicate IP address errors. After further investigation Etherpeek > shows the MAC address of the router as the conflicting MAC. This is > happening on several servers supposedly having a duplicate address as the > router interface on the same segment. I have never ran into this problem > before, so I thought that I would ask the experts. What is causing this to > happen and why? > > I'm starting to think that computers are the work of the devil! Routers and > switches to a lesser extent... > > TIA, > Eric Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=22319&t=22273 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Anyone have CISSP? [7:7832]
If you go to their web site they will give you the information that you need. I used Information Security Management handbood 4th ed and the SRV publication books. This plus some common sense. Neil ""1i$T"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Do you mind telling me what materials you used for the exam? > Thanks!! > > > Neil Desai wrote: > > > I have the CISSP and I think that it is about as good as an MCSE. While it > > holds more respect in the security world it has no technical merit what so > > ever. My boss made me get it so I did. I took about 3 months of studying. I > > didn't take the class. I found many of the things in the networking domain > > incorrect, but since they said that this is the way it is then you have to > > learn things that are wrong just to pass the test, just like the MCSE. I > > would rather spend my time learning something useful line forensics, > > intrusion detection or programming. > > > > Neil > > > > ""Craig Columbus"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I'm looking for information from those of you who've earned the CISSP > > > certification. Does it complement your Cisco security skills? Have you > > > found that employers/clients recognize the cert? Assuming that one > > already > > > has the requisite knowledge, does the certification open enough new doors > > > that it's worth the time and expense of obtaining it? > > > > > > Thanks in advance, > > > Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=8105&t=7832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Anyone have CISSP? [7:7832]
I have the CISSP and I think that it is about as good as an MCSE. While it holds more respect in the security world it has no technical merit what so ever. My boss made me get it so I did. I took about 3 months of studying. I didn't take the class. I found many of the things in the networking domain incorrect, but since they said that this is the way it is then you have to learn things that are wrong just to pass the test, just like the MCSE. I would rather spend my time learning something useful line forensics, intrusion detection or programming. Neil ""Craig Columbus"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I'm looking for information from those of you who've earned the CISSP > certification. Does it complement your Cisco security skills? Have you > found that employers/clients recognize the cert? Assuming that one already > has the requisite knowledge, does the certification open enough new doors > that it's worth the time and expense of obtaining it? > > Thanks in advance, > Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7923&t=7832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffer Resources [7:4410]
TCP/IP Illustrated Vol.1 by Richard Stevens. Neil wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Okay all you networking pros out there. Does anybody know of any good > Network General Sniffer resources? More specifically if I want to look > up diagnoses such as TTL's, retransmissions, long ack times etc.? > > jd > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=4490&t=4410 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Just been Hacked!!!!! [7:3452]
He got in by using the unicode exploit. You have one of the following situations: 1. wwwroot on the same drive as the OS. 2. msadc and/or scripts virtual directorys Check the %systemroot%/Program Files/Common Files/System/msadc/ for a file called "root.exe". This file is a copy of your "cmd.exe" I would apply the patches that are relevent to your box to fix the unicode exploit. I would also do the following: 1. Create a local group on the IIS box. 2. Put only people that will administer the box in that local group. 3. Move the following files to another directory: arp.exe, at.exe, atsvc.exe, cacls.exe, cmd.exe, command.com, cscript.exe, debug.exe, edit.com, edlin.exe, finger.exe, ftp.exe, ipconfig.exe, nbstat.exe, net.exe, netstat.exe, nslookup.exe, ping.exe, qbasic.exe, rpc.exe, rdisk.exe, regedit.exe, regedit32.exe, rexec.exe, route.exe, rsh.exe, runonce.exe, secfixup.exe, syskey.exe, telnet.exe, ftfp.exe, tracert.exe, wscript.exe, xcopy.exe, copy.exe 4. Put the newly created directory in the path. 5. Change the NTFS permission so only the local group that you just created has permissions to it. 6. Deny all others access to it. 7. Run some form of IDS (Intrusion Detection System). If you don't have a lot of money you can run Snort. It is free. It is a great IDS. Neil ""John Brandis"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I was hacked by , Sysadmcn > He got in and changed the web site to F- USA Govt. > Does any one know what other changes to NT2000, besides renaming of the > default web page, to one that he added. Also, does any one know how he got > in ? > > > - Original Message - > From: "Kevin O'Gilvie" > To: > Sent: Tuesday, May 08, 2001 12:32 AM > Subject: Just been Hacked! [7:3452] > > > > Apparently over the weekend Poison Box got pass my Pix and overwrote some > > files on the intranet Box and maybe more damage than I know of at this > > Moment. I need help on finding out hjw they got in and how to prevent it > > happeneing in the future. Please help. > > > > Thanks, > > > > Kevin > > _ > > Get your FREE download of MSN Explorer at http://explorer.msn.com > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3517&t=3452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS monitoring & Port Mirroring/SPAN
I am using a 2900XL with 2 IDS's and Internet monitoring software on it. There are three vlans on it. It is working great. If you need more info email me offline. Neil ""Scott Nelson"" <[EMAIL PROTECTED]> wrote in message 9a580l$a2n$[EMAIL PROTECTED]">news:9a580l$a2n$[EMAIL PROTECTED]... > OK, here's the deal, > > I need to monitor a T-3 before and after a Firewall > So:ISP---7206Switch-FirewallSwitchRouterLANs > > with the 2 different IDSes ( Intrusion Detection System ) hanging off of a > monitor port on each switch. > > I was starting to get collisions on the firewall and the router with a 100Mb > hub so, I figured if I wack 2 Cisco 2912XL switches in there and set > everything for 100Mb Full, and that would end that issue and it has, but has > raised another one. > > So far, at the switch points, the switches are running at 80% according to > the LEDs on the front, with our current bandwidth at about ~20Mb. > What are the LEDs measuring is my first question? > If it is the CPU utilization, I have a feeling it is because of Span/port > monitor that the CPU has to duplicate the packets and ship them out the > monitor port. > > My 2nd question is: If this link goes up to the max 40+ Mb, will I start > dropping packets between the router(s) and the Firewall? > Will I drop packets going to the IDSes? > > We have a Cat 5000 sitting around so, I figured, why not just use it? > I tried to enable two different Port spans on a Cat 5000 and it will only > allow me to do one at a time. I figured a Cat 5000 would have enough CPU > power to do the job. I was going to create 3 VLANs, one VLAN before the > firewall and one after and one for management. But if I can only do (1) span > at a time, this isn't going to work either. > > Suggestions? > > Or am I worrying for nothing? Will the 2912's do it or do I need to go the > 3500XL or 4000 series switches to do this? What is everyone else doing? > > Scotty > > -- > Scott Nelson - Network Engineer > Wash DC +1202-270-8968 > Los Angeles +1310-367-6646 > mailto:[EMAIL PROTECTED] > -- _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Favorite Network Sniffer
It depends on the platform and use. For NT I like EtherPeek and WinDump. For Unix I like TCPDump. For heavier traffic I like the Sniffer Pro DSS. Neil ""Russell Frame"" <[EMAIL PROTECTED]> wrote in message 95ct9j$fgl$[EMAIL PROTECTED]">news:95ct9j$fgl$[EMAIL PROTECTED]... > What's your favorite network sniffer/analyzer? > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TCP port number 0
Most likely someone was trying to do some "passive OS fingerprinting" with hping2. The default port the hping2 uses is 0. They might have been trying to map your network or they may have been just poking around. Neil ""Nurarif W"" <[EMAIL PROTECTED]> wrote in message 009c01c081eb$19cc9730$160a@pokemon">news:009c01c081eb$19cc9730$160a@pokemon... > Hi, > > Does anyone know what is the purpose of tcp port number 0 ? > I have an experience catching traffic coming from HTTP server with tcp = > port number 0 and destinated to any IP address with tcp port number 0. = > After I put an incoming acces-list that blocked port number 0, a few = > minute later I saw this packet was never being generated again. The = > access-list is applied for incoming traffic. > For example : > > access-list 101 deny tcp host HTTPserver eq 0 any log > access-list 101 deny tcp any any eq 0 log > access-list 101 deny tcp any eq 0 any log > access-list 101 permit ip any any > > Thank you > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NetBios forwarding
NetBIOS runs on top of TCP/IP (NBT). If you have WINS server then it will not broadcast to find the server, unless there is no record in the WINS server. You could configure a LMHOSTS file on the workstation. This would have the servers NetBIOS name to IP address mapping. If you include the "#PRE" tag it will be loaded into the NetBIOS cache at boot time. I am not sure if this helps. Neil "John Neiberger" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > We have some new software running on a single workstation that is trying to > use netbios to communicate with a server on a different subnet. We do not > currently allow this type of forwarding, and I've never configured it > before. We'd like to limit netbios forwarding to just these two machines. > Here is my idea, let me know if this would be the way to do it. > > access-list 1 permit 10.1.1.1 (workstation) > access-list 2 permit 10.2.2.2 (server) > > ip forward-protocol udp 137 > ip forward-protocol udp 138 > ip forward-protocol udp 139 > > int fastethernet1/0 > ip add 10.1.1.254 255.255.255.0 > ip directed-broadcast 1 > ip helper-address 10.2.2.2 > > int fastethernet2/0 > ip add 10.2.2.254 255.255.255.0 > ip directed-broadcast 2 > ip helper-address 10.1.1.1 > > Would this do what I'm trying to accomplish? If not, please let me know, or > if anyone has any tips for this sort of thing, I'd love to hear them. > > Thanks a million, as usual! > > John > > > > > > ___ > Send a cool gift with your E-Card > http://www.bluemountain.com/giftcenter/ > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can SPAN port transmit?
I use a 2900XL with many span ports. I use one of them for an Internet monitoring software. It has the ability to monitor at 100Mbps full duplex and transmitt on that same port. I have a Sniffer Pro DSS and I am able to transmitt data on that span port also. Neil "Priscilla Oppenheimer" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi folks, > > If I connect a Sniffer-like device to the SPAN port of a switch, will the > Sniffer-like device be able to transmit data? > > My guess is no. From my reading on Cisco's SwitchProbe external hardware > probes, it appears that the SwitchProbe needs an additional port to send > data to a network management system. One port connects to a SPAN port on > the switch and the other port connects to a normal port and is configured > in "management mode." > > But, does anyone have experience with trying to send from a device > connected to a SPAN port? > > Thanks > > Priscilla > > > > Priscilla Oppenheimer > http://www.priscilla.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ethernet Frame (revisited for clarification)
Thank you for the information. Neil ""Howard C. Berkowitz"" <[EMAIL PROTECTED]> wrote in message news:p0500190eb64481a0727c@[63.216.127.98]... > THe LAN data link protocols have source and destination addresses. > WAN protocols usually have a destination address field only (see > below). > > >If you look at the frame format for any LAN protocol you will see where the > >Destination and Source MAC address are. > >If you look at > >http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introwan.htm you > >will see that where the WAN technologies lay in the OSI model and hopefully > >this will also explain why serial lines don't have MAC addresses. > >The reason that LAN protocols have a MAC address and WAN's don't is because > >LAN's are contention based where WAN's are always full-duplex. Even though > >layer 2 switching has been around for LAN's for a few years now the > >protocols have stayed the same for backwards compatibility. > >Neil > > > > > I'd disagree that WAN technologies are necessarily full-duplex. > Polled, half-duplex operation was extremely common in SNA, as a means > of sharing expensive dedicated lines (before frame relay and the > like). > > Both SDLC (and its predecessors such as BSC) and LLC2 are > deterministic/token-based rather than collision/contention protocols. > The key difference between polled SNA and token ring, however, is > control of the token. In SDLC, the token is centrally controlled (by > the PU4 or PU5). In TR, control of the token is distributed. > > When control is centralized, and all traffic flows through the > hub/mainframe, there's no need for a source address. The source > address is always clear from context. There is a need for a > destination address so a destination can know a poll is intended for > it. > > So there is a need for destination addresses in WAN protocols > intended for use in a point-to-multipoint environment. PPP, > operating in point-to-point mode, never really needed any address > field, but was designed with one because not to have one would have > been incompatible with commercial data link chips of the time. > Indeed, protocols such as SRP are being proposed for efficient POS > applications, and these protocols have no address field because they > don't need one. > > PS -- one thing that might be confusing about router serial lines > having MAC addresses is that IPX and XNS will "borrow" a MAC address > from a LAN interface in order to create the host part of a layer 3 > address. > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ethernet Frame (revisited for clarification)
If you look at the frame format for any LAN protocol you will see where the Destination and Source MAC address are. You will not see these in any of the WAN frame formats. I looked on CCO for more information to clarify this but was unsuccessful. What I did look at was the frame formats for different WAN protocols. Here some links to show you what I am talking about: SDLC http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/sdlcetc.htm#xtocid2 49413 Frame Relay http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/frame.htm#41825 X.25 http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/x25.htm#xtocid12273 10 Ethernet http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ethernet.htm#xtocid 118335 Token Ring http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/tokenrng.htm#xtocid 73166 FDDI http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/fddi.htm#xtocid1028 610 If you look at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introwan.htm you will see that where the WAN technologies lay in the OSI model and hopefully this will also explain why serial lines don't have MAC addresses. The reason that LAN protocols have a MAC address and WAN's don't is because LAN's are contention based where WAN's are always full-duplex. Even though layer 2 switching has been around for LAN's for a few years now the protocols have stayed the same for backwards compatibility. Neil "John Green" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > this post(s) was posted a couple of days back and just > wanted some more list memebers to see if this correct > before we take this as gospel truth. > --- > Neil Desai <[EMAIL PROTECTED]> wrote: > > To my knowledge serial links don't have a MAC > > address. Since most of them > > are either a point-to-point or point-to-multipoint > > there are some other type > > of mappings. If a serial port needs a MAC address it > > usuall uses one from > > another interface that has one (i.e. ethernet). > > Neil > > ""Martinez, Carlos"" <[EMAIL PROTECTED]> > > wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > hello all, > > > > > > I had somebody ask me what the source mac address > > would be on a frame sent > > > across a serial link connected by to two routers, > > > for example: Host A sends a packet to Host B, > > which is on the other side > > of > > > the wan link. what would Host B see and what where > > would he send his reply > > > to.(the local router or Host A or what) > > > > > > thanks in advance > > > > > > _ > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > > > > > > _ > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > __ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of Products. > http://shopping.yahoo.com/ > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ethernet Frame
To my knowledge serial links don't have a MAC address. Since most of them are either a point-to-point or point-to-multipoint there are some other type of mappings. If a serial port needs a MAC address it usuall uses one from another interface that has one (i.e. ethernet). Neil ""Martinez, Carlos"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > hello all, > > I had somebody ask me what the source mac address would be on a frame sent > across a serial link connected by to two routers, > for example: Host A sends a packet to Host B, which is on the other side of > the wan link. what would Host B see and what where would he send his reply > to.(the local router or Host A or what) > > thanks in advance > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ehternet Collisions
I would manually set your port speeds so that the router and the switches match. Autonegotiation does not always work. Neil "Amit Gupta" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello , > > > I am facing a problem of large number of collisions > in the network > and would like to have your help on this > > We have 2 Catalyst switches , 5509 and 6009 cascaded > together and all the > ports are configured in the Autonegotiating mode. > > The following is the sh interface from the router > sh inter eth 0/0 > Ethernet0/0 is up, line protocol is up > Hardware is AmdP2, address is 0050.7331.0901 (bia > 0050.7331.0901) > Description: EHPT NET > Internet address is 136.225.199.1/24 > MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, > reliability 255/255, txload 33/255, rxload 32/255 > > Encapsulation ARPA, loopback not set, keepalive set > (10 sec) > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:00, output 00:00:00, output hang > never > Last clearing of "show interface" counters 6d19h > Queueing strategy: fifo > Output queue 0/40, 38740 drops; input queue 6/75, > 14749 drops > 5 minute input rate 1275000 bits/sec, 434 > packets/sec > 5 minute output rate 1298000 bits/sec, 426 > packets/sec > 154020652 packets input, 3485131167 bytes, 0 no > buffer > Received 1564263 broadcasts, 0 runts, 0 giants, 0 > throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 > ignored, 0 abort > 0 input packets with dribble condition detected > 154717115 packets output, 1648908410 bytes, 0 > underruns > 31 output errors, 54533299 collisions, 0 > interface resets > 0 babbles, 0 late collision, 7633346 deferred > 0 lost carrier, 0 no carrier > 0 output buffer failures, 0 output buffers > swapped out > > Thanks & Regards > > Amit > > > __ > Do You Yahoo!? > Yahoo! Calendar - Get organized for the holidays! > http://calendar.yahoo.com/ > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
console or AUX port
I am currently making a lab with a 2511 as my terminal server. I am plugging the octal cables into the AUX ports of the routers and everything works fine. Unfortueately the 1600's don't have an AUX port so I tried the console port but I am unable to get it to work on the console port. From what others have told me this can be done. When I went to fatkid.com and looked at their reverse telnet lab they are connecting to the AUX port, in Calsow's book it says to connect to the console port. If anyone can help me on this I would appreciate it. Thanks. Neil _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a MAC Address Question
The IANA has an Ethernet address block for itself,00:00:5e. They have allocated half of this block to mulitcast addresses. The range of multicast addresses are 01:00:5e:00:00:00 to 01:00:5e:7f:ff:ff. With this 23 bits of the Ethernet address can directly corrispond to the IP multicast group ID. In this mapping the lower 23 bits of the IP address are directly mapped to the Ethernet address. This leave 5 bits of IP address that are unused (the first 5 bits after the initial 1110). Because of this there are 32 multicast group ID's that can corrispond to a single Ethernet address. At this point is up to a higher layer to do some filtering to drop unwanted packets. I hope this helps. Neil "Aaron" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, everyone! > > I have a question about the MAC layer address, and I use the Ethernet for > making an example. > > We all know that the first 3 bytes of the 48-bit MAC address are indicate > the vendor. Among the 3 bytes, the first is important, because the first 2- > bit in this byte has special meanings that are I/G bit and U/L bit. > > I have a question about the following whether it is right: > when we get a MAC address, such as 0030.b6f7.3000 (Cisco), > 1. Whether the I/G and U/L bit are already set to zero? > 2. When a multicast packet shoud be sent to this address, the destination > address in the MAC packet header should be set to 0130.b6f7.3000? > > Thank you for your help and there may be some understanding errors in the > questions. > > thank you very much! > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: upcoming caslow book
I saw this on fatbrain.com http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0130903892 Cisco Certification : Bridges Routers and Switches for CCIEs, Second Edition By Caslow, Bruce Online Price: $55.95 Hardcover 20% off list (you save $14.04) List Price: $69.99 900 Pages Published by Prentice Hall Date Published: 11/2000 ISBN: 0130903892 He is coming out with a second edition of Bridges, Routers, and Switches. It is due out in November of 2000. This was also on fatbrain.com http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=013085266X Cisco Routing Illustrated : A Workshop for CCIEs and CCNPs By Caslow, Andrew Bruce Online Price: $47.95 Hardcover 20% off list (you save $12.04) List Price: $59.99 500 Pages Published by Prentice Hall Date Published: 03/2001 ISBN: 013085266X Neil ""Leigh Anne Chisholm"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > That's a good question. Apparently Caslow's "Cisco Certification: Bridges, > Routers and Switches for CCIE's" is now out of print... My initial > impression is that his new book won't cover all the same material as his > first. > > For those of you who've been wanting to buy Cisco Certification: Bridges, > Routers and Switches for CCIE's, I recommend you go buy it now. I had a > hard time finding it in my local bookstore and couldn't order it from > several online bookstores. > > > -- Leigh Anne > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Craig Jensen > Sent: October 26, 2000 6:41 PM > To: [EMAIL PROTECTED] > Subject: upcoming caslow book > > > On amazon.com a title Cisco Routing Illustrated: A Workbook for CCIEs and > CCNPs is listed. Does anybody know details about this book? > Craig > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: About access-list
You are correct in your assumptions. The only thing that you have to watch out for it the "any" key word. I usually filter the traffic for a particular interface if possible. This way you can help prevent spoofing. Neil "Raymond Mak" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > Once I apply the extended list on an interface for "IN" traffic, is it > implicitly block all incoming traffic on that interface? > > I also want to know, for example. > access-list 110 permit tcp any any neq telnet > > 1. ip access-group 110 in > 2. ip access-group 110 out > > For 1, the source (any) would be internal network, destination (any) would > be outside. > Is it, for 2, the source would be outside network, destination would be > internal network? > Am I wrong with this kind of "point of view"? > Thanks > > Raymond > > > Raymond Mak wrote: > > > Hi, > > > > I am just a beginner. I have a question is that should I need to type > > any command to "enable" using ip extended access-list? > > It is because when I add an ip access-group for standard access-list on > > an interface, it works and no side-effect. But when I add an extended > > access-list on an interface, > > I even cannot ping out. > > > > Thanks > > > > Regards, > > Raymond > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Packet Generator
Here is a free tool that will replay actual traffic: http://www.anzen.com/research/nidsbench/tcpreplay.html It replays information from tcpdump. If you want to make a TCP/IP packet from scratch try nemesis. It is billed as " Command line driven portable IP stack." It supports TCP, UDP, ICMP, ARP, IGMP, DNS, RIP, and OSPF. Neil <[EMAIL PROTECTED]> wrote in message 8q2v6q$25i$[EMAIL PROTECTED]">news:8q2v6q$25i$[EMAIL PROTECTED]... > Is anybody aware of any freeware/shareware tools for packet generation? I > need it for load testing OC3/12 interfaces? > > > ""ccie10"" <[EMAIL PROTECTED]> wrote in message > 8q2o98$nle$[EMAIL PROTECTED]">news:8q2o98$nle$[EMAIL PROTECTED]... > > Anyone have info/recommendations for a packet generator? > > > > thanks > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Layer 2 Addressing
If you look at RFC 2469 you can see that no matter how the bits are stored in memory they go on the wire the same way. It is impossible to distinguish a canonical formatted message from a non-canonical formatted message. Here is the excerpt: Canonical form (also known as "LSB format" and "Ethernet format") is the name given to the format of a LAN adapter address as it should be presented to the user according to the 802 LAN standard. It is best defined as how the bit order of an adapter address on the LAN media maps to the bit order of an adapter address in memory: The first bit of each byte that appears on the LAN maps to the least significant (i.e., right-most) bit of each byte in memory (the figure below illustrates this). This puts the group address indicator (i.e., the bit that defines whether an address is unicast or multicast) in the least significant bit of the first byte. Ethernet and 802.3 hardware behave consistently with this definition. Unfortunately, Token Ring (and some FDDI) hardware does not behave consistently with this definition; it maps the first bit of each byte of the adapter address to the most significant (i.e., left-most) bit of each byte in memory, which puts the group address indicator in the most significant bit of the first byte. This mapping is variously called "MSB format", "IBM format", "Token-Ring format", and "non- canonical form". The figure below illustrates the difference between canonical and non-canonical form using the canonical form address 12-34-56-78-9A-BC as an example: In memory, 12 34 56 78 9A BC canonical: 00010010 00110100 01010110 0000 10011010 1000 1st bit appearing on LAN (group address indicator) | On LAN: 01001000 00101100 01101010 0000 01011001 0001 In memory, MSB format: 01001000 00101100 01101010 0000 01011001 0001 48 2C 6A 1E 59 3D Notice that on the LAN they look exactly the same. Neil ""Ejay Hire"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Roosevelt Giles, CCIE All-in-one P210-212. In translational bridging, the > Translation engine converts the format from Little-endian to big-endian. > The multicast bit and the U/l bit are both part of the mac-address, and are > converted with the address, with no modification other than the Bit > re-ordering. > > After Bit translation, the Frame length, Access Control, Routing > Information... fields are added to the fram, and it is passed to the Bridge > module. > > > Original Message Follows > From: "Neil Desai" <[EMAIL PROTECTED]> > Reply-To: "Neil Desai" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Layer 2 Addressing > Date: Thu, 14 Sep 2000 16:00:56 -0400 > > I have asked this question once before and had little luck in finding the > answers. This time I have given a more explination and an example. > I have a problem in understanding the issues concerning canonical vs. > non-canonical addressing. I have read the archives of GroupStudy.com (both > CCIE and regular mailing lists), RFC 2469, Optimized.com, Interconnections > (Second Edition), many Cisco Press Books. I have been to many college sites > in reference to Manchester encoding. I have searched on CCO, and the > Internet. I have had discussions with my peers and have now thoroughly > confused them. In the scheme of things I guess it does not matter on why but > that it just happens and that we need to be aware of the issues and how to > solve them. Unfortunately I can't leave it at that. > > In "Interconnections Second Edition" pages 32-33 she states: > > "With 802.3 and 802.4, the least significant bit is transmitted first; with > 802.5 (and FDDI), the most significant bit is transmitted first. This would > not be an issue (adapters on the receiver and transmitter for a particular > LAN would presumably be symmetric, and the order of the transmission would > be irrelevant) except that the group bit in addresses was defined not as > "the most significant bit" or "the lease significant bit" but rather as "the > first bit on the wire." Thus, an address that was a group address on 802.3 > would not necessarily look like a group address when transmitted on 802.5 > because a different bit would be transmitted first. > The canonical format of address assumes least-significant-bit-order-first > order. Therefore, the address a2-41-59-31-51 is not a group address because > the least significant bit of the first octet (a2, which equals 10100010 > b
Layer 2 Addressing
I have asked this question once before and had little luck in finding the answers. This time I have given a more explination and an example. I have a problem in understanding the issues concerning canonical vs. non-canonical addressing. I have read the archives of GroupStudy.com (both CCIE and regular mailing lists), RFC 2469, Optimized.com, Interconnections (Second Edition), many Cisco Press Books. I have been to many college sites in reference to Manchester encoding. I have searched on CCO, and the Internet. I have had discussions with my peers and have now thoroughly confused them. In the scheme of things I guess it does not matter on why but that it just happens and that we need to be aware of the issues and how to solve them. Unfortunately I can't leave it at that. In "Interconnections Second Edition" pages 32-33 she states: "With 802.3 and 802.4, the least significant bit is transmitted first; with 802.5 (and FDDI), the most significant bit is transmitted first. This would not be an issue (adapters on the receiver and transmitter for a particular LAN would presumably be symmetric, and the order of the transmission would be irrelevant) except that the group bit in addresses was defined not as "the most significant bit" or "the lease significant bit" but rather as "the first bit on the wire." Thus, an address that was a group address on 802.3 would not necessarily look like a group address when transmitted on 802.5 because a different bit would be transmitted first. The canonical format of address assumes least-significant-bit-order-first order. Therefore, the address a2-41-59-31-51 is not a group address because the least significant bit of the first octet (a2, which equals 10100010 binary) is 0. When address are stored for transmission onto 802.5 or FDDI, which transmit the most significant bit first, they must be stored in a different format. Figure 2.9 shows the address a2-41-42-59-31-51 as stored for transmission least significant bit first. 10100010 0101 0110 01011001 00110001 01010001 Figure 2.9 Address a2-41-42-59-31-51, least significant bit first Figure 2.10 show the address a2-41-42-59-31-51 as stored for transmission most significant bit first. 01000101 1010 0110 10011010 10001100 10001010 Figure 2.10 Address a2-41-42-59-31-51, most significant bit first Therefore, bridges must shuffle the address fields when forwarding between 802.5 (or FDDI) and any other LANs." >From all of the reading this is what I think to be true. If I am wrong in my assumptions please let me know. 1. When an adapter needs to set the MAC address of a packet it will put it in whatever format that it is accustomed to and is unaware of any other format. 2. Regardless of how the packet is stored in memory it will transmit the Global bit first. This is what a transmittion would look like: Packet in canonical format: A8 is the Global bit, least significant bit A1A2A3A4A5A6A7A8 B1B2B3B4B5B6B7B8 C1C2C3C4C5C6C7C8 Packet in non-canonical format: A8 is the Global bit, most significant bit A8A7A6A5A4A3A2A1 B8B7B6B5B4B3B2B1 C8C7C6C5C4C3C2C1 Either way is transmitter with the Global bit first so both should look like this on the wire: A8A7A6A5A4A3A2A1 B8B7B6B5B4B3B2B1 C8C7C6C5C4C3C2C1 When an adapter receives a packet it should automatically rearrange the packet into the appropriate format and everything should be fine. I know how to do the conversion and when I do the conversion I can see the problem. When I go through the steps of how a packet is formed I can't see the problem. I would appreciate a reply, answer or direction to go from anyone. Thanks, Neil **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: canonical and non-canonical addresses
Does any body know the answer to this one? Now I am getting a bit frustrated. I have posted to this group only a couple of times and I never get an answer. All I get is people asking me to look at the archives. I did as much homework as possible before asking the group. ""Neil Desai"" <[EMAIL PROTECTED]> wrote in message 8n9llp$83c$[EMAIL PROTECTED]">news:8n9llp$83c$[EMAIL PROTECTED]... > I am having a problem understanding the issues between canonical and > non-canonical addressing. I understand that the bits are flipped within the > byte. On page 32-33 of Interconnections Second Edition she gives the example > of the address a2-41-42-59-31-51. > Canonical: > 10100010 0101 0110 01011001 00110001 01010001 > Non-Canonical: > 01000101 1010 0110 10011010 10001100 10001010 > > If you look at this you can clearly see that the address in canonical format > is not a group address (last bit of first byte is zero) but in non-canonical > format it is a group address. At this point I can see a big problem because > she also states: > > ".the group bit in addresses was defined not as "the most significant bit" > or the "least significant bit" but rather as "the first bit on the wire." > Thus, an address that was a group address on 802.3 would not necessarily > look like a group address when transmitted on 802.5 because a different bit > would be transmitted first." > > Here is the confusion: In canonical format the least significant bit is > transmitted first and in non-canonical format the most significant bit is > transmitted first. So on the wire the 1's and 0's would be in the same > order. Here is an excerpt from RFC 2469: > > The figure below illustrates the difference between > canonical and non-canonical form using the canonical form address > 12-34-56-78-9A-BC as an example: > >In memory, 12 34 56 78 9A BC >canonical: 00010010 00110100 01010110 0000 10011010 1000 > > 1st bit appearing on LAN (group address indicator) > | >On LAN: 01001000 00101100 01101010 0000 01011001 0001 > >In memory, >MSB format: 01001000 00101100 01101010 0000 01011001 0001 >48 2C 6A 1E 59 3D > > > This shows that no matter how the information is stored in memory it looks > the same on the wire. So if it looks the same on the wire wouldn't an > adapter pickup the packet and flip the bits in the byte if it needed to. > Since it on the wire it looks like the bits are in non-canonical format a > canonical format media would automatically take the first byte and flip the > bits and so on, or so I would think. > > If anyone can figure out where I am going wrong please let me know. If it > would be best to talk, email me directly with a daytime phone number and I > will call you. Thanks. > Neil > > > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: canonical and non-canonical addresses
I have looked through the archives and a post from Howard Berkowitz is what lead me to the RFC. All of the posts that I have seen only refer to the swapping of bits within the byte. None of the explanations that I have seen go any further. I have also scoured the Internet and CCO. Neil ""Neil Desai"" <[EMAIL PROTECTED]> wrote in message 8n9llp$83c$[EMAIL PROTECTED]">news:8n9llp$83c$[EMAIL PROTECTED]... > I am having a problem understanding the issues between canonical and > non-canonical addressing. I understand that the bits are flipped within the > byte. On page 32-33 of Interconnections Second Edition she gives the example > of the address a2-41-42-59-31-51. > Canonical: > 10100010 0101 0110 01011001 00110001 01010001 > Non-Canonical: > 01000101 1010 0110 10011010 10001100 10001010 > > If you look at this you can clearly see that the address in canonical format > is not a group address (last bit of first byte is zero) but in non-canonical > format it is a group address. At this point I can see a big problem because > she also states: > > ".the group bit in addresses was defined not as "the most significant bit" > or the "least significant bit" but rather as "the first bit on the wire." > Thus, an address that was a group address on 802.3 would not necessarily > look like a group address when transmitted on 802.5 because a different bit > would be transmitted first." > > Here is the confusion: In canonical format the least significant bit is > transmitted first and in non-canonical format the most significant bit is > transmitted first. So on the wire the 1's and 0's would be in the same > order. Here is an excerpt from RFC 2469: > > The figure below illustrates the difference between > canonical and non-canonical form using the canonical form address > 12-34-56-78-9A-BC as an example: > >In memory, 12 34 56 78 9A BC >canonical: 00010010 00110100 01010110 0000 10011010 1000 > > 1st bit appearing on LAN (group address indicator) > | >On LAN: 01001000 00101100 01101010 0000 01011001 0001 > >In memory, >MSB format: 01001000 00101100 01101010 0000 01011001 0001 >48 2C 6A 1E 59 3D > > > This shows that no matter how the information is stored in memory it looks > the same on the wire. So if it looks the same on the wire wouldn't an > adapter pickup the packet and flip the bits in the byte if it needed to. > Since it on the wire it looks like the bits are in non-canonical format a > canonical format media would automatically take the first byte and flip the > bits and so on, or so I would think. > > If anyone can figure out where I am going wrong please let me know. If it > would be best to talk, email me directly with a daytime phone number and I > will call you. Thanks. > Neil > > > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
canonical and non-canonical addresses
I am having a problem understanding the issues between canonical and non-canonical addressing. I understand that the bits are flipped within the byte. On page 32-33 of Interconnections Second Edition she gives the example of the address a2-41-42-59-31-51. Canonical: 10100010 0101 0110 01011001 00110001 01010001 Non-Canonical: 01000101 1010 0110 10011010 10001100 10001010 If you look at this you can clearly see that the address in canonical format is not a group address (last bit of first byte is zero) but in non-canonical format it is a group address. At this point I can see a big problem because she also states: ".the group bit in addresses was defined not as "the most significant bit" or the "least significant bit" but rather as "the first bit on the wire." Thus, an address that was a group address on 802.3 would not necessarily look like a group address when transmitted on 802.5 because a different bit would be transmitted first." Here is the confusion: In canonical format the least significant bit is transmitted first and in non-canonical format the most significant bit is transmitted first. So on the wire the 1's and 0's would be in the same order. Here is an excerpt from RFC 2469: The figure below illustrates the difference between canonical and non-canonical form using the canonical form address 12-34-56-78-9A-BC as an example: In memory, 12 34 56 78 9A BC canonical: 00010010 00110100 01010110 0000 10011010 1000 1st bit appearing on LAN (group address indicator) | On LAN: 01001000 00101100 01101010 0000 01011001 0001 In memory, MSB format: 01001000 00101100 01101010 0000 01011001 0001 48 2C 6A 1E 59 3D This shows that no matter how the information is stored in memory it looks the same on the wire. So if it looks the same on the wire wouldn't an adapter pickup the packet and flip the bits in the byte if it needed to. Since it on the wire it looks like the bits are in non-canonical format a canonical format media would automatically take the first byte and flip the bits and so on, or so I would think. If anyone can figure out where I am going wrong please let me know. If it would be best to talk, email me directly with a daytime phone number and I will call you. Thanks. Neil ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco View, CW2000, IPM
I am making PERL scripts to get the inforamtion that we want from the SYSLOG files. PERL is easy to learn and can do a lot for you. Neil ""News Cisco"" <[EMAIL PROTECTED]> wrote in message 8itpcl$7jt$[EMAIL PROTECTED]">news:8itpcl$7jt$[EMAIL PROTECTED]... > Does any one know how to make ANY sense out of the thousands of syslog msgs > generetad every weeek ??? > I have a few flapping serials,,, sometimes the link (VSAT/FR) goes down for > 5 or 10 mins,,, but looking at the syslogs > > * How can i generate a customized report giving me a numerical value of the > total down/uptime per link ??? > * Generate a graph showing Link Utilization per day/week/month ( plz, dont > recommend me to use MRTG) > * Set the syslogg feature of CW2000 to store msgs for last 30 days > > I'm using CW2000, CiscoView, IPM, I've been thru all the features,, cudnt > get any help, all they do is provide realtime traffic analysis & even > thats not presentable to the Top Management > > Any suggestions/help wud be JOB SAVING!! > > "Bliss" > > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Checkpoint firewall
I was thinking of useing the CBAC. You can have it look at fragmented
packets and set a timeout. Cisco had a problem in the PIX and CBAC in 1998
but made a fix for it.
Neil
"David" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What is even more fun is trying to send a packet requiring fragmentation
> from Linux through a firewall! A small snippet in the kernel source
> shows that linux will fragment a packet and send the LAST fragment
> first, for various reasons that I don't completely understand. This
> means that the first fragment of a packet from a linux host will have no
> layer 4 info! What is a firewall supposed to do with that other then
> hold it in memory, and use some kind of timers and DoS checking code in
> the firmware? I only dealt with this on the Netscreens, and they
> currently pass the fragments through for this reason if I remember
> correctly. This isn't perfect, but not too bad, because the host can
> most likely handle this better then a firewall handling thousands of
> connections for all hosts with a limited memory capacity.
>
> David
>
>
> Nimesh Vakharia wrote:
> >
> > I am curious how the PIX handles this exploit.
> >
> > The exploit is Checkpoint reassembles fragmented packet before
forwarding.
> > But it does not inspect the packet in any way until it has completely
> > built the packet... so you can keep sending multiple fragments and it
> > keeps reassembling, using up system resources and probably crash at one
> > point. Checkpoint supposedly does not check against its rule base
> > (conduit/statics in PIX) when it receives a fragmented packet!
> >
> > I vaguely remember that the PIX ignores the first fragment of the
> > entire series (if it maches the rules) and forwards everything after
that.
> > This way irrespective of how malicious the fragment is, it never gets
> > built at the host endCan anyone confirm as to how the PIX handles
> > fragmented packets?
> >
> > BTW: Check out
> > http://www.enteract.com/~lspitz/fwtable.html
> >
> > This really shows how much work need to be done on firewall code!
> > - Stateful monitoring is a joke
> > - No inspection on sequence nos.
> > - Fragments!
> >
> > Nimesh.
> >
> > On Fri, 9 Jun 2000, Richard Holland wrote:
> >
> > > This is a bit off-topic, but I recall a discussion of using
Checkpoint
> > > firewall, and thought I'd share a SANS security newsletter concerning
> > > checkpoint.
> > >
> > > "It's possible to use various fragmented packets (such as those
generated by
> > > Jolt2.c) to cause the firewall to crash or operate at 100% CPU
utilization.
> > > Firewall rules are ineffective for defense. More information is in
this
> > > issue as item {00.24.025} ("Check Point FireWall-1 fragmentation
DoS")."
>
> ___
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Scheduled shutdown
You could do it with a PERL script. If all you want to do is prevent access during those times then you could use time based ACL's. Neil "Eduardo Negreiros" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, folks! > I want to "shutdown" a Ethernet interface every day at 18:00 PM and "no > shutdown" this interface every day at 08:00 AM. Does anyone know how to > do it? Is there any command to schedule a shutdown? > > Best Regards, > Eduardo Negreiros > > > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
