Mr. Cube, That depends. If you have a single switch, just sniff the network and as someone suggested, check the MAC address of anything attempting to hit port 10000 on your own interface (assuming that the worm is continually re-scanning its local subnet - if not, and its just counting up from 1.0.0.1 to 255.255.255.254 - you'll want to mirror the port going towards your gateway). If the switch is managed, you can telnet or use the wbem interface to check the layer 2 forwarding database for that MAC. It will tell you which port the offending PC is attached to.
Now, if you have multiple switches, this is not a very scalable troubleshooting method... If you can define ACL's on your switches, you could block port 10000 traffic and log the offending packets. Regards, J >Date: Sun, 26 Dec 2004 09:06:53 +0300 >From: rubix cube <[EMAIL PROTECTED]> >Subject: Re: [ActiveDir] worm (very very OT) >Reply-To: [email protected] >do I need to mirror a specific port? Which one? >Why can't I connect to any availble port on that switch and sniff the network? >thanks >rubix -- Jason Hicks Senior Network Architect National Fuel - Buffalo, NY List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
