thank u J Well we have 50+ switches currently and I can't monitor VLANs because we have 15+ VLANs, , what am doing currently is blocking all traffic at the firewalls (hardware and software) except for the required ports (25 for mail, 80 for http, 1429 for msn messanger, ports for real player etc..) so I have no worries about traffic using port 10000, the problem I face is when a worm has its own smtp engine and so its "legally" sending emails at port 25 from the client't machine internally and externally and spoofing addresses, The MAC resolution is no worry, the sniffer actually shows me the IPs which I can lookup in the DHCP, and yet if I have only MAC like u said I can connect to the switch and look it up in the switch MAC address table,
thanks Ms. cube On Tue, 28 Dec 2004 07:48:59 -0500, Jason Hicks <[EMAIL PROTECTED]> wrote: > Mr. Cube, > > That depends. If you have a single switch, just sniff the network and > as someone suggested, check the MAC address of anything attempting to > hit port 10000 on your own interface (assuming that the worm is > continually re-scanning its local subnet - if not, and its just counting > up from 1.0.0.1 to 255.255.255.254 - you'll want to mirror the port > going towards your gateway). If the switch is managed, you can telnet > or use the wbem interface to check the layer 2 forwarding database for > that MAC. It will tell you which port the offending PC is attached to. > > Now, if you have multiple switches, this is not a very scalable > troubleshooting method... > > If you can define ACL's on your switches, you could block port 10000 > traffic and log the offending packets. > > Regards, > J > > >Date: Sun, 26 Dec 2004 09:06:53 +0300 > >From: rubix cube <[EMAIL PROTECTED]> > >Subject: Re: [ActiveDir] worm (very very OT) > >Reply-To: [email protected] > >do I need to mirror a specific port? Which one? > >Why can't I connect to any availble port on that switch and sniff the > network? > >thanks > >rubix > > -- > Jason Hicks > Senior Network Architect > National Fuel - Buffalo, NY > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
