|
RE: Is my network getting attacked?
I realize this is very late, but I found your post while looking up something
else. From what I can tell, you had a pretty average network on that day back
in August. In case you haven't determined all these things for yourself
already:
Networks that employ NetBIOS (or where one or more nodes employ NetBIOS,
perhaps inadvertently) are very chatty in this way. ("Where's BOOKKEEPING? I
need BOOKKEEPING for [a file share|a shared printer|etc.]." They also
periodically attempt to refresh each other's browse lists by yelling out,
"Look at me! I'm BOOKKEEPING, and I'm a [file server|printer server|etc.]!"
TCP/IP networks see lots of ARP traffic as the stations (servers,
workstations, printers, routers, managed switches, etc.) use it to parlay IP
addresses into Ethernet MAC addresses. (You'll note that they all go to the
network's broadcast address -- 192.168.0.255 -- which is how you, as a
TCP/IP speaker, shout out to all of the peers on your subnet.)
Finally, the STP messages you're seeing are basically your switches talking
to one another to prevent loops. Think "a person accidentally plugging one
switch port into another port on the same network segment" -- Ethernet
networks hate this, and STP is one method of preventing it. This happens more
often than you might think, especially if you have edge switches in
user-accessible places, and free wall jacks nearby: if the edge switch is
backhauled to a core switch via a wall jack, and there's another free wall
jack that connect to the same core switch, and a well-meaning user plugs a
second cable from the edge switch to the free wall jack...well...hilarity
ensures. Note that STP can't necessarily prevent all loops, depending upon
your network topology.
Hope that helps,
-grimm
"njem" wrote:
> Some strange behavior on the network at a non-profit so at a
> suggestion I installed Wireshark to capture packets and I get strange
> looking behavior. As a comparison I tried it on a couple of other
> offices and don't get the same at all. Does this make sense to anyone
> or can you point me to some hack-savvy forum where they might?
>
> Below is about 30 lines of capture. On this Sat AM I have only the
> server, a workstation, the router and the switch on. The other
> stations have been off since the previous evening so all has had time
> to get settled. The server, workstation, and router all keep sending
> packets asking who has IP address x, and sending "name query" packets.
> Then the switch keeps sending "Spanning tree" packets. I'm sure some
> of this is normal on startup or periodic refresh but in this case it's
> pretty much all the traffic over the course of this 14 second
> snapshot.
>
> Thanks,
> Tom
>
> No. Time Source Destination
> Protocol Info
> 1 0.000000 Netgear_8c:1c:ea Broadcast
> ARP Who has 192.168.0.63? Tell 192.168.0.1
> 2 0.016536 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
> 3 0.413167 IntelCor_07:f5:7d Broadcast
> ARP Who has 192.168.0.222? Tell 192.168.0.52
> 4 0.415835 IntelCor_07:f5:7d Broadcast
> ARP Who has 192.168.0.223? Tell 192.168.0.52
> 5 0.536137 Intel_e9:10:22 Broadcast
> ARP Who has 192.168.0.223? Tell 192.168.0.100
> 6 2.063407 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
> 7 4.015436 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
> 8 4.066504 192.168.0.1 192.168.0.100
> NBNS Name query NBSTAT
> *<00><00><00><00><00><00><00><00><00><00><00><00>< 00><00><00>
> 9 4.066561 192.168.0.100 192.168.0.1
> NBNS Name query response NBSTAT
> 10 6.015371 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
> 11 7.396657 IntelCor_07:f5:7d Broadcast
> ARP Who has 192.168.0.223? Tell 192.168.0.52
> 12 7.418780 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<20>
> 13 7.420473 Netgear_8c:1c:ea Broadcast
> ARP Who has 192.168.0.63? Tell 192.168.0.1
> 14 7.455501 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<00>
> 15 8.015308 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
> 16 8.162190 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<20>
> 17 8.193556 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<00>
> 18 8.419973 Netgear_8c:1c:ea Broadcast
> ARP Who has 192.168.0.63? Tell 192.168.0.1
> 19 8.912166 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<20>
> 20 8.943526 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<00>
> 21 9.420014 Netgear_8c:1c:ea Broadcast
> ARP Who has 192.168.0.63? Tell 192.168.0.1
> 22 9.693746 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<00>
> 23 10.015487 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
> 24 10.129539 192.168.0.1 192.168.0.100
> NBNS Name query NBSTAT
> *<00><00><00><00><00><00><00><00><00><00><00><00>< 00><00><00>
> 25 10.129594 192.168.0.100 192.168.0.1
> NBNS Name query response NBSTAT
> 26 10.443487 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<00>
> 27 10.444938 Netgear_8c:1c:ea Broadcast
> ARP Who has 192.168.0.63? Tell 192.168.0.1
> 28 11.193463 192.168.0.52 192.168.0.255
> NBNS Name query NB BOOKKEEPING<00>
> 29 11.445171 Netgear_8c:1c:ea Broadcast
> ARP Who has 192.168.0.63? Tell 192.168.0.1
> 30 12.015422 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
> 31 12.445126 Netgear_8c:1c:ea Broadcast
> ARP Who has 192.168.0.63? Tell 192.168.0.1
> 32 13.396457 IntelCor_07:f5:7d Broadcast
> ARP Who has 192.168.0.223? Tell 192.168.0.52
> 33 14.015358 Netgear_54:76:c1 Spanning-tree-(for-
> bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
> Port = 0x8031
>
|
Linear Mode
