Check out Ethereal also. Great freeware. It will decode most information as well as tell you what the port number is used for. http://www.ethereal.com/
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Moreno Sent: Friday, July 25, 2003 1:30 AM To: [EMAIL PROTECTED] Subject: RE: [smartBridges] OFF TOPIC: Spoofed IP?? What version of Colasoft sniffer do you use corperate or personal? Quoting The Wirefree Network <[EMAIL PROTECTED]>: > Thanks Jeff..gonna pick one up tomorrow. > > Sully > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Gojkovich > Sent: Thursday, July 24, 2003 7:33 PM > To: [EMAIL PROTECTED] > Subject: Re: [smartBridges] OFF TOPIC: Spoofed IP?? > > What we do is put a hub inbetween the AP and the router/switch. Then > plug a network line into the hub to one of our computers and open the > sniffer. We use the Colasoft sniffer and it works great. It will sort > by IP address and it is layed out really nice. Just wait for that IP to > send some info that will identify then and there you go. > > -- > Jeff > > > One thing you could do if you provide email, is to check the IP addy > > against > > email address's in your logs of your mail server. > > George > > ----- Original Message ----- > > From: "The Wirefree Network" > > To: > > Sent: Thursday, July 24, 2003 12:29 PM > > Subject: [smartBridges] OFF TOPIC: Spoofed IP?? > > > > > >> Here's a weird one. > >> > >> Using smartbridges equipment, is there any way I can find out which > one > >> of my users changed their IP address?? > >> > >> When I do an arp listing in my router, I noticed that the IP/MAC > pairing > >> was incorrect. So...I called up the client who should have that IP > and > >> their computer was off. When they turned it on and went to IE, my > >> router prompted me with "IP address 172.16.x.x changed MAC > addresses". > >> And then the arp listing showed the correct MAC for that IP. > >> > >> He then turned off his computer and a little while later...I was > again > >> prompted with the "IP address 172.16.x.x changed MAC addresses". I > >> wrote down the MAC address, but that really does me no good. > >> > >> I was hoping that a traceroute would show me which wireless devices > he > >> was hopping out of...but no dice. > >> > >> I looked in the associated client listing in the aPPo, but it does > not > >> show that IP whenever I am looking. > >> > >> I tried using sniffer software...but I cant pick up any traffic on > the > >> LAN side of my router, being that it is also a switch. I need to find > a > >> way to make my port (permiscious) or act like a hub...so I can sniff > >> traffic on the whole network. > >> > >> I also thought about having the valid client use a different IP for > >> now...and then block that IP at the LAN interface. Then...just sit > back > >> and wait for that client to call me (with an outage). > >> > >> Anyway...my question is....how can I find out who is using this IP?? > >> > >> Sully > >> > >> The PART-15.ORG smartBridges Discussion List > >> To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > > smartBridges > >> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > > smartBridges) > >> Archives: http://archives.part-15.org > >> > > > > The PART-15.ORG smartBridges Discussion List > > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > > smartBridges > > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > > smartBridges) > > Archives: http://archives.part-15.org > > > The PART-15.ORG smartBridges Discussion List To Join: > mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges To > Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > smartBridges) Archives: http://archives.part-15.org > Martin Moreno Blazen Wireless 909-907-4106 www.blazenwireless.com The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
