[Wireshark-users] Strange packet nbns
Hi all Hope you can help. I tried Wireshark on my network and once a winxp client logs into my network (Win 2003 server as DC) I see NBNS name query nb bps-ntserver1 The bps-ntserver1 was an old NT 4 server but I have since built a new domain. I have a feeling a reg key or something is still in the desktop since the change over. I have looked through the registry but it is strange why its being called on login only? Any ideas? I am guessing it is not healthy for 100+ pc's querying an old server on login! I have attached the log. I am still (unfortunately) running wins on the network due to a few win 98 boxes still running. I have tried searching wins for that server name but nothing exists and DNS does not have any reference to that old server name. Thanks. Cheers Jon nbns.pcap Description: Binary data ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] Listening on Port mirrored interface
Hi All, Don't know if this is the correct board to put this too but hear goes anyway. I am having problems listening for packets on my Sun Machine. I have a F5 BIGIP switch on which I mirrored the traffic port(i.e.9) to another port 16 for listening and tracing. In port 16 bi run a cable to my Sun Solaris V440 machine. On this machine I simply plumb the interface to where the cable is, give it a dummy ip address,netmask and broadcast address and bring it up. Issue is when I run Tshark I see no packets. Any ideas on what I have done wrong or even some tricks. When I connect my laptop instead of Sun server and run wireshark , then I can see packets that I want. I don't even give the laptop interface card a ip address, netmask and broadcast address and it still works. William William Murphy Integration/Support Engineer AdaptiveMobileTM Dublin Technology Centre, Taylor's Lane, Dublin 8, Ireland Mobile. +353 87 9621616 Fixed-Line. +353 1 4100958 E-mail. [EMAIL PROTECTED] www.adaptive-mobile.com ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.adaptivemobile.com ** attachment: image001.jpg ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Listening on Port mirrored interface
What about tcpdump, does it capture? What happen if you run it as root, can you capture? is /dev/ifname readable by the user you are trying to capture with? On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Hi All, Don't know if this is the correct board to put this too but hear goes anyway. I am having problems listening for packets on my Sun Machine. I have a F5 BIGIP switch on which I mirrored the traffic port(i.e.9) to another port 16 for listening and tracing. In port 16 bi run a cable to my Sun Solaris V440 machine. On this machine I simply plumb the interface to where the cable is, give it a dummy ip address,netmask and broadcast address and bring it up. Issue is when I run Tshark I see no packets. Any ideas on what I have done wrong or even some tricks. When I connect my laptop instead of Sun server and run wireshark , then I can see packets that I want. I don't even give the laptop interface card a ip address, netmask and broadcast address and it still works. William -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Listening on Port mirrored interface
Hi , Thanks for getting back to metcpdump does not capture eitheri have been reading up on this and here it is. The laptop I use is not as secure as Sun server and the nic card can be turned into promiscuous mode easily by software, But on the Sun server I don't think the software can turn it into promiscuous mode and thus the Nic card will not show the sniffer(i.e. snoop,tcpdump,tethereal,tshark) traffic from Mac address other than its own mac address for security reasons. So I think now my question is: Is there a command I can run which will put the nic card on the SUN server(i.e. Solaris 10) into promiscuous mode? Agree with my thinking? Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Ontanon Sent: 18 February 2007 20:26 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Listening on Port mirrored interface What about tcpdump, does it capture? What happen if you run it as root, can you capture? is /dev/ifname readable by the user you are trying to capture with? On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Hi All, Don't know if this is the correct board to put this too but hear goes anyway. I am having problems listening for packets on my Sun Machine. I have a F5 BIGIP switch on which I mirrored the traffic port(i.e.9) to another port 16 for listening and tracing. In port 16 bi run a cable to my Sun Solaris V440 machine. On this machine I simply plumb the interface to where the cable is, give it a dummy ip address,netmask and broadcast address and bring it up. Issue is when I run Tshark I see no packets. Any ideas on what I have done wrong or even some tricks. When I connect my laptop instead of Sun server and run wireshark , then I can see packets that I want. I don't even give the laptop interface card a ip address, netmask and broadcast address and it still works. William -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.adaptivemobile.com ** ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Listening on Port mirrored interface
Hi I cant seem to snoop as root. Makes no difference. [EMAIL PROTECTED] # ls -la /dev/ce lrwxrwxrwx 1 root root 28 May 14 2006 /dev/ce - ../devices/pseudo/[EMAIL PROTECTED]:ce [EMAIL PROTECTED] # ls -la ../devices/pseudo/[EMAIL PROTECTED]:ce crw--- 1 root sys 11, 80 May 14 2006 ../devices/pseudo/[EMAIL PROTECTED]:ce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Ontanon Sent: 18 February 2007 20:55 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Listening on Port mirrored interface I used to capture promiscous on sun boxen without any problem. So it might be an issue with permissions of the /dev/ node for the interface which I remember I had to change myself. . Can you capture as root? If so which are the permissions on /dev/ifname? What happens if you change permissions on /dev/ifname so that it is writable by the user, can you capture promiscuous then? Luis On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Hi , Thanks for getting back to metcpdump does not capture eitheri have been reading up on this and here it is. The laptop I use is not as secure as Sun server and the nic card can be turned into promiscuous mode easily by software, But on the Sun server I don't think the software can turn it into promiscuous mode and thus the Nic card will not show the sniffer(i.e. snoop,tcpdump,tethereal,tshark) traffic from Mac address other than its own mac address for security reasons. So I think now my question is: Is there a command I can run which will put the nic card on the SUN server(i.e. Solaris 10) into promiscuous mode? Agree with my thinking? Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Ontanon Sent: 18 February 2007 20:26 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Listening on Port mirrored interface What about tcpdump, does it capture? What happen if you run it as root, can you capture? is /dev/ifname readable by the user you are trying to capture with? On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Hi All, Don't know if this is the correct board to put this too but hear goes anyway. I am having problems listening for packets on my Sun Machine. I have a F5 BIGIP switch on which I mirrored the traffic port(i.e.9) to another port 16 for listening and tracing. In port 16 bi run a cable to my Sun Solaris V440 machine. On this machine I simply plumb the interface to where the cable is, give it a dummy ip address,netmask and broadcast address and bring it up. Issue is when I run Tshark I see no packets. Any ideas on what I have done wrong or even some tricks. When I connect my laptop instead of Sun server and run wireshark , then I can see packets that I want. I don't even give the laptop interface card a ip address, netmask and broadcast address and it still works. William -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.adaptivemobile.com ** ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.adaptivemobile.com ** ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Strange packet nbns
Have you tried doing a search in the registry for ntserver1 or similar? On Sun, 18 Feb 2007 20:25:40 +1100, Jon Knight [EMAIL PROTECTED] said: Hi all Hope you can help. I tried Wireshark on my network and once a winxp client logs into my network (Win 2003 server as DC) I see NBNS name query nb bps-ntserver1 The bps-ntserver1 was an old NT 4 server but I have since built a new domain. I have a feeling a reg key or something is still in the desktop since the change over. I have looked through the registry but it is strange why its being called on login only? Any ideas? I am guessing it is not healthy for 100+ pc's querying an old server on login! I have attached the log. I am still (unfortunately) running wins on the network due to a few win 98 boxes still running. I have tried searching wins for that server name but nothing exists and DNS does not have any reference to that old server name. Thanks. Cheers Jon -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Access your email from home and the web ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Listening on Port mirrored interface
http://docs.sun.com/app/docs/doc/817-3947/6mjgnrl80?a=view says that ce does actually support promiscuous mode. You might have to change something in /kernel/drv/ce.conf but honestly I do not knopw what. Luis On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Supposedlyi have tried with tethereal also and it has same effect.No traffic captured -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Ontanon Sent: 18 February 2007 21:12 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Listening on Port mirrored interface does snoop work in promiscuous mode? On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Hi, Ok changed the rights on the file crw-rw-rw- 1 root sys 11, 80 May 14 2006 [EMAIL PROTECTED]:ce but this still does not make a difference. I did not restart the system. Just changed rights and made trace which did not work. Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Ontanon Sent: 18 February 2007 20:55 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Listening on Port mirrored interface I used to capture promiscous on sun boxen without any problem. So it might be an issue with permissions of the /dev/ node for the interface which I remember I had to change myself. . Can you capture as root? If so which are the permissions on /dev/ifname? What happens if you change permissions on /dev/ifname so that it is writable by the user, can you capture promiscuous then? Luis On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Hi , Thanks for getting back to metcpdump does not capture eitheri have been reading up on this and here it is. The laptop I use is not as secure as Sun server and the nic card can be turned into promiscuous mode easily by software, But on the Sun server I don't think the software can turn it into promiscuous mode and thus the Nic card will not show the sniffer(i.e. snoop,tcpdump,tethereal,tshark) traffic from Mac address other than its own mac address for security reasons. So I think now my question is: Is there a command I can run which will put the nic card on the SUN server(i.e. Solaris 10) into promiscuous mode? Agree with my thinking? Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Ontanon Sent: 18 February 2007 20:26 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Listening on Port mirrored interface What about tcpdump, does it capture? What happen if you run it as root, can you capture? is /dev/ifname readable by the user you are trying to capture with? On 2/18/07, William Murphy [EMAIL PROTECTED] wrote: Hi All, Don't know if this is the correct board to put this too but hear goes anyway. I am having problems listening for packets on my Sun Machine. I have a F5 BIGIP switch on which I mirrored the traffic port(i.e.9) to another port 16 for listening and tracing. In port 16 bi run a cable to my Sun Solaris V440 machine. On this machine I simply plumb the interface to where the cable is, give it a dummy ip address,netmask and broadcast address and bring it up. Issue is when I run Tshark I see no packets. Any ideas on what I have done wrong or even some tricks. When I connect my laptop instead of Sun server and run wireshark , then I can see packets that I want. I don't even give the laptop interface card a ip address, netmask and broadcast address and it still works. William -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.adaptivemobile.com ** ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-users mailing list
Re: [Wireshark-users] Strange packet nbns
On Sun, 18 Feb 2007 20:25:40 +1100, Jon Knight [EMAIL PROTECTED] said: Hi all Hope you can help. I tried Wireshark on my network and once a winxp client logs into my network (Win 2003 server as DC) I see NBNS name query nb bps-ntserver1 The following thread may (or may not) be of help: Subject: How to find the application sending a namerequest? start: http://www.wireshark.org/lists/wireshark-users/200610/msg00867.html last: http://www.wireshark.org/lists/wireshark-users/200611/msg01217.html Bill Meier ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users