Sounds to me like your switch isn't switching. The only traffic that a machine plugged into a switch should see is its own traffic and broadcast or multicast traffic. Everything else should be invisible to it, unless you've configured the port you're plugged into as a management port. Otherwise, if you can packet-sniff *all* the traffic going through that switch then, well... it's not a switch.
Anyway, that's sort of beside the point. One thing to keep in mind is that if you're packet sniffing at your hub/switch, you may not be seeing everything that's going on on your wireless network. For example, what if there actually are Welchia/Blaster-type worms on your wireless network, but all their ICMP traffic is being directed back out onto your network, instead of through your backhaul. For example, here's what Symantec says about Welchia's scanning behavior: > Selects the victim IP address in two different ways: The worm uses either > A.B.0.0 from the infected machine's IP of A.B.C.D and counts up, or it will > construct a random IP address based on some hard-coded addresses. > After selecting the start address, the worm counts up through a range of > Class B-sized networks; for example, if the worm starts at A.B.0.0, it will > count up to at least A.B.255.255. Let's say that you set up your wireless network as a class B, such as 10.1.0.0/16. Now what if one of your customers at say, 10.1.1.30 got infected with Welchia. The worm would probably start sending out ICMP echo requests to everything between 10.1.0.0 and 10.1.255.255. If you've got your AP configured with a /16 netmask, all that ICMP traffic is going to stay local to that AP. None of it will ever come down your backhaul. So, if you're packet sniffing at the switch on the other side of the backhaul, you won't see anything. The above example is assuming that the network design is routed, and not bridged, and it may not even apply to your situation. The point I'm trying make though, is that to really know for sure what's happening on a particular network segment, you need to put your packet sniffer on the same segment. Placing it down the line somewhere may not give you the full picture. Craig Quoting Martin Moreno <[EMAIL PROTECTED]>: > T-1 >>switch> backhaul >tower both APS to south and north clients > Switch also has connections going to it from my servers as well as my home > PC.. > > > > > Quoting Mark Radabaugh <[EMAIL PROTECTED]>: > > > > > > > > > > I have everything on a switch no hub and it sees everything fine from > the > > > clients up to my servers sending and receiving info.. > > > > > > > Then you paid way too much for that switch :-) > > > > (or I just don't understand how you have things connected...) > > > > Mark > > > > > > ----------ANNOUNCEMENT---------- > > Don't forget to register for WISPCON IV > > http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm > > > > The PART-15.ORG smartBridges Discussion List > > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > smartBridges > > <yournickname> > > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > > smartBridges) > > Archives: http://archives.part-15.org > > > > > Martin Moreno > Blazen Wireless > 909-907-4106 > www.blazenwireless.com > ----------ANNOUNCEMENT---------- > Don't forget to register for WISPCON IV > http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges > <yournickname> > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > smartBridges) > Archives: http://archives.part-15.org > > ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
