|
Posted by Moe Trin on February 1, 2006, 3:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On 1 Feb 2006, in the Usenet newsgroup comp.security.misc, in article
synergy@synergyservices.org wrote:
>Here is my environment:
OK - the drawing is murder to try to read, but I take it that the three
networks only meet in the Watchguard. Where are the PowerConnect switches
located?
>We THINK we have narrowed it down to the x.x.1.0 location, but I'm not
>entirely convinced.
I think I agree
>In any case, it is a significant amount of traffic, and at times pegs
>the (A) Netopia at 99% CPU, when the (B) Netopia is around 27%.
That fits the location A scenario. Is there any pattern to when this
occurs?
>Toss them an IP address, and they'll probably pick up the phone and dial
>it. I don't believe it is anyone playing with nmap or any other tool.
OK - the only other explanation would be the the boxes are owned, and
this might show up on the nmap scan as unusual ports open.
>If I'm trying to track down a spoofed MAC address from, say, a trojan,
>am I stuck with connecting to every PC, NIC to NIC via crossover cable
>and ethereal to sniff packets?
As mentioned in my reply on alt.comp.networking.firewalls, the crossover
cable probably isn't the right tool. You need to 'eavesdrop' on the
wire as the unknown box is spewing. Depending where the switches are
located, these might allow you to isolate it down further, as the
switches only carry traffic between the ports used for source and
destination - rather than pumping it out on all ports as a hub does.
Old guy
| 
XML site map