I think someone mentioned previously that it is possible that the wrong adapter might be chosen.
Justin, Make sure that you are not choosing the dial up adapter that always appears in the list. That should be apparent though, because you would receive at most two packets. Other than that you should still see the occasional broadcasts regardless of promiscuous mode. Ken -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 8:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT Received Packets Let's leave NIC's private life out of this, ok? The NIC shouldn't need to go promiscuous for the simple fact that he's trying to find packets that are hitting that box - so its only got to see traffic that's destined for it. The flip side of that is that I don't remember the last NIC I bought which couldn't go promiscuous, so I doubt that's the issue, unless its an OLD POS model. I'm thinking it might actually be a filter in NetMon that's causing the issue - but I don't know exactly why. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2003 9:59 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT Received Packets > > > Total and complete speculation as I can't imagine in my > wildest dreams as to > why NetMon isn't picking up all of these 1000's of packets > that Justin is > seeing. The shim isn't able to read? <shrug> > > Yeah, I've seen some pretty messed up stuff in NetMon as > well. In fact, the > reverse is true - I've seen stuff in NetMon that Ethereal > wasn't able to > correctly read. > > I suspect that the biggest issue is that the NIC is not promiscuous. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Tuesday, October 07, 2003 8:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT Received Packets > > Yes. :o) > > I have not heard of ethereal being able to pick up packets that netmon > can't. Have you positive experience of this or is it theory? > I have seen > some pretty hokey packets in netmon. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, October 07, 2003 8:50 PM > To: [EMAIL PROTECTED] > > Joe, > > If the NIC can't get into promiscuous mode, won't it ignore > packets that are > *not* addressed to it? IOW, a packet comes in for another > machine. It > notes that the packet came in (via the stats at the In - Out [which, I > question to some degree anyway]) but it's not for me. > Because I'm not in > promiscuous mode, I don't (can't) copy it, so I drop it. > Because it wasn't > copied, it's not passed to the NetMon shim. However, a > packet the *IS* > addressed to me shows up and is passed up the stack and is > read as well by > the NetMon shim. This one shows up in the trace buffer. > > Also, isn't it possible that the packets that are showing up > at Justin's > system corrupted. NetMon may or may not deal with it > properly (can't answer > that one, honestly).. Ethereal, does, however present even the corrupt > packets with some ability to determine what might be the > problem. The Pcap > module does seem to be a bit ahead of the shim that NetMon uses. > > Yes, I know - but if the packets show up in the in-out > counter on Justin's > system, but no one else's - they must be destined for his > system. Heck, I > dunno. Me, I'm just one of the team here, and I'm counting > on my supporting > cast. Rick can't do everything.... (to paraphrase the football > commercial.....) > > ;p > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Tuesday, October 07, 2003 6:55 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT Received Packets > > Shouldn't need to NETMON will see everything Ethereal will. > If the traffic > is hitting that NIC, it should be visible in NETMON unless > the NIC can't go > into promiscious mode. Even still, anything addressed to that > machine should > be visible. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran > Sent: Tuesday, October 07, 2003 4:55 PM > To: [EMAIL PROTECTED] > > Salandra, Justin A. wrote: > > I am watching my interface in netmon and there is nothing > coming up. > > I see other traffic on the network. > > You could install Ethereal (http://www.ethereal.com) which > will capture and > analyze individual packets. > > That would answer the question once and for all, since you'd > be able to see > details of every single packet. At the rate you're gathering > incomming > packets, you should only need a few seconds worth of capture > to find out > where it's coming from. > > > > > -----Original Message----- > > From: Joe [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 10:36 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] OT Received Packets > > > > > > I would guess that it is probably mostly ARP's and other > broadcasts. I > > would say whomever mentioned the viruses is probably accurate, but > > open that up to all of the broadcast and searching viruses > like mumu > > and code red and nimda and ... And ... And ... And ... > > > > Whatever traffic it is though, it should be readily available in > > netmon unless the wrong interface is being watched. > > > > > > joe > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > > Kirkpatrick > > Sent: Monday, October 06, 2003 2:35 PM > > To: '[EMAIL PROTECTED]' > > > > My first thought it might be machine policy, but it sounds like the > > traffic is fairly continuous, as opposed to just after boot. > > > > Are you running any p2p software? > > > > -g > > > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 10:47 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT Received Packets > > > > > > Netmon is gathering traffic but not showing all the packets > that I am > > receiving. > > > > I am finding these numbers by going into Network and > clicking on the > > status of my network connection. Right now I have 29,000 packets > > received and 5,000 sent and my laptop has been on for an hour. > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 1:26 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT Received Packets > > > > "I have run network monitor and can not find what the > traffic is that > > I am receiving." > > > > Meaning that NETMON is not showing any traffic? Or that > NETMON can't > > identify the traffic? > > > > How are you determining that you are actually receiving > this traffic? > > PERFMON? > > > > -gil > > > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 06, 2003 5:39 AM > > To: ActiveDir (E-mail) > > Subject: [ActiveDir] OT Received Packets > > > > > > This a little off topic, but I have to ask. My Laptop > within minutes > > of being turned on receives over 7,000 packets and sends > only 300 or > > so. In 15 minutes I will have over 30,000 received packets. My > > computer is the only one this is happening too. > > > > I have run network monitor and can not find what the > traffic is that > > I am receiving. I have run a antivirus scan on my computer with > > updated DAT files and found nothing. I have looked at my > services and > > did not find anything different. > > > > This only happens on my work network, not at home. Does > anyone have > > any ideas? > > > > Justin A. Salandra, MCSE > > Senior Network Engineer > > Catholic Healthcare System > > 212.752.7300 - office > > 917.455.0110 - cell > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
