Let's leave NIC's private life out of this, ok? The NIC shouldn't need to go promiscuous for the simple fact that he's trying to find packets that are hitting that box - so its only got to see traffic that's destined for it. The flip side of that is that I don't remember the last NIC I bought which couldn't go promiscuous, so I doubt that's the issue, unless its an OLD POS model.
I'm thinking it might actually be a filter in NetMon that's causing the issue - but I don't know exactly why. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2003 9:59 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT Received Packets > > > Total and complete speculation as I can't imagine in my > wildest dreams as to > why NetMon isn't picking up all of these 1000's of packets > that Justin is > seeing. The shim isn't able to read? <shrug> > > Yeah, I've seen some pretty messed up stuff in NetMon as > well. In fact, the > reverse is true - I've seen stuff in NetMon that Ethereal > wasn't able to > correctly read. > > I suspect that the biggest issue is that the NIC is not promiscuous. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Tuesday, October 07, 2003 8:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT Received Packets > > Yes. :o) > > I have not heard of ethereal being able to pick up packets that netmon > can't. Have you positive experience of this or is it theory? > I have seen > some pretty hokey packets in netmon. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, October 07, 2003 8:50 PM > To: [EMAIL PROTECTED] > > Joe, > > If the NIC can't get into promiscuous mode, won't it ignore > packets that are > *not* addressed to it? IOW, a packet comes in for another > machine. It > notes that the packet came in (via the stats at the In - Out [which, I > question to some degree anyway]) but it's not for me. > Because I'm not in > promiscuous mode, I don't (can't) copy it, so I drop it. > Because it wasn't > copied, it's not passed to the NetMon shim. However, a > packet the *IS* > addressed to me shows up and is passed up the stack and is > read as well by > the NetMon shim. This one shows up in the trace buffer. > > Also, isn't it possible that the packets that are showing up > at Justin's > system corrupted. NetMon may or may not deal with it > properly (can't answer > that one, honestly).. Ethereal, does, however present even the corrupt > packets with some ability to determine what might be the > problem. The Pcap > module does seem to be a bit ahead of the shim that NetMon uses. > > Yes, I know - but if the packets show up in the in-out > counter on Justin's > system, but no one else's - they must be destined for his > system. Heck, I > dunno. Me, I'm just one of the team here, and I'm counting > on my supporting > cast. Rick can't do everything.... (to paraphrase the football > commercial.....) > > ;p > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Tuesday, October 07, 2003 6:55 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT Received Packets > > Shouldn't need to NETMON will see everything Ethereal will. > If the traffic > is hitting that NIC, it should be visible in NETMON unless > the NIC can't go > into promiscious mode. Even still, anything addressed to that > machine should > be visible. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran > Sent: Tuesday, October 07, 2003 4:55 PM > To: [EMAIL PROTECTED] > > Salandra, Justin A. wrote: > > I am watching my interface in netmon and there is nothing > coming up. > > I see other traffic on the network. > > You could install Ethereal (http://www.ethereal.com) which > will capture and > analyze individual packets. > > That would answer the question once and for all, since you'd > be able to see > details of every single packet. At the rate you're gathering > incomming > packets, you should only need a few seconds worth of capture > to find out > where it's coming from. > > > > > -----Original Message----- > > From: Joe [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 10:36 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] OT Received Packets > > > > > > I would guess that it is probably mostly ARP's and other > broadcasts. I > > would say whomever mentioned the viruses is probably accurate, but > > open that up to all of the broadcast and searching viruses > like mumu > > and code red and nimda and ... And ... And ... And ... > > > > Whatever traffic it is though, it should be readily available in > > netmon unless the wrong interface is being watched. > > > > > > joe > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > > Kirkpatrick > > Sent: Monday, October 06, 2003 2:35 PM > > To: '[EMAIL PROTECTED]' > > > > My first thought it might be machine policy, but it sounds like the > > traffic is fairly continuous, as opposed to just after boot. > > > > Are you running any p2p software? > > > > -g > > > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 10:47 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT Received Packets > > > > > > Netmon is gathering traffic but not showing all the packets > that I am > > receiving. > > > > I am finding these numbers by going into Network and > clicking on the > > status of my network connection. Right now I have 29,000 packets > > received and 5,000 sent and my laptop has been on for an hour. > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 1:26 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT Received Packets > > > > "I have run network monitor and can not find what the > traffic is that > > I am receiving." > > > > Meaning that NETMON is not showing any traffic? Or that > NETMON can't > > identify the traffic? > > > > How are you determining that you are actually receiving > this traffic? > > PERFMON? > > > > -gil > > > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 5:39 AM > > To: ActiveDir (E-mail) > > Subject: [ActiveDir] OT Received Packets > > > > > > This a little off topic, but I have to ask. My Laptop > within minutes > > of being turned on receives over 7,000 packets and sends > only 300 or > > so. In 15 minutes I will have over 30,000 received packets. My > > computer is the only one this is happening too. > > > > I have run network monitor and can not find what the > traffic is that > > I am receiving. I have run a antivirus scan on my computer with > > updated DAT files and found nothing. I have looked at my > services and > > did not find anything different. > > > > This only happens on my work network, not at home. Does > anyone have > > any ideas? > > > > Justin A. Salandra, MCSE > > Senior Network Engineer > > Catholic Healthcare System > > 212.752.7300 - office > > 917.455.0110 - cell > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
