Not true. Mirror the port and it will capture in promisciuos mode.
On Thu, 23 Dec 2004 11:29:37 -0500, Kern, Tom <[EMAIL PROTECTED]> wrote: > we're a switched network. i'd have to go to every pc(500) and run it. i'm > trying to avoid that. might as well run netstat -an on all pc's. > > ethereal won't tell me the real address. > > thanks > > -----Original Message----- > From: Candee Vaglica [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 23, 2004 11:16 AM > To: [email protected] > Subject: Re: [ActiveDir] worm (very very OT) > > Use a network scanner, like Ethereal to monitor the traffic. > > On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom <[EMAIL PROTECTED]> wrote: > > this is way off and i apologize but you guys are really knowledgable and > > such a great help, i thought i'd try here. > > > > i have a number of pc's infected with some wom that goes out on port 10000 > > tcp and tries to attemp a DOS attack. > > > > I don't know the worm and a google searched didn't really turn anything up. > > > > here's the thing. the worm uses a spoofed source address. my question is, > > is there anyway to track down a spoofed address internally to the real > > address? > > > > I don't know how to find the infected pc's. > > > > thanks > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
