Joris Lambrecht wrote: >There is a reccuring Zebra Protocol Capture wich is not supposed to occure, >as far as i know there might be a Zebra-Router on the network but the >src.dest.adresses involved do not return anything close to the routers i >know wich are in the network. I even checked the workstation involved with >reply-ing "Zebra Response", there is no such software running on that >workstation. > >I figured out most of the traffic on this network/subnet but cannot pinpoint >the validity of the Zebra Protocol. Did anyone ever encounter a similar >situation in wich packets could have been mistaken for a known protocol ?
It's quite normal that Ethereal misinterprets some packets as another protocol than it really is since it's often not possible to determine exactly what protocol it is based on heuristics, but often you will notice that the decoding will fail for a part of the packet in those cases (indicated as "[Malformed packet]" or similar) or that part of the message will look like garbage. I have had to disable some protocols due to this sometimes, remove some plugins (e.g. the PCLI plugin that registers UDP port 9000) and change the protcol preferences for some protcols (e.g. iSCSI and Diameter that registers certain TCP port numbers that are often used by the client side of TCP connections) in order to avoid that some protocols are misinterpreted by Ethereal. Ethereal normally dissects tcp packets to or from port number 2600 with the Zebra dissector and of course tcp port number 2600 could be used for a lot of different purposes (both as server side port number and as client side port number). When the TCP connection is set up is it established towards port number 2600 (i.e. server side has port 2600), or is it established towards another port number (i.e. client side has port 2600)? It could be good to check if the other port number is registered by IANA, or if it's listed in any of the other port number lists available on internet (a search with "port 4711" or similar in Google may give some interesting hits). Also it could be interesting to see what happens with the TCP connection. Is it established (SYN, SYN-ACK, ACK) and then some data is sent in one or both directions and then closed or is there a further exchange of data before the connection is closed, and how often is the TCP connection re-established. You can maybe also have a look on if there are other ip messages sent between these two ip-addresses (other protcols or port numbers). It would be good if you could send some more details and maybe a short sample capture if possible. Actually port number 2600 is registered by IANA as the port number for some HP specific protocols it seems. http://www.iana.org/assignments/port-numbers hpstgmgr 2600/tcp HPSTGMGR hpstgmgr 2600/udp HPSTGMGR # Kevin Collins <[EMAIL PROTECTED]> I couldn't find any details about HPSTGMGR so I don't know what it is used for. But tcp port number 2600 is also the normal port for Zebra protocol. Port number 2600 is also used by a trojan program ("Digital RootBeer") and also used in a lot of configuration examples, by some other software and so on. http://www.seifried.org/security/ports/2000/2600.html http://home.t-online.de/home/TschiTschi/well_known_trojaner_ports.htm http://www.bekkoame.ne.jp/~s_ita/port/port2600-2699.html http://www.geocities.com/nidhi_jain24/DefList.html http://ethereal.archive.sunet.se/lists/ethereal-dev/200208/msg00100.html http://www.usm.maine.edu/~houser/cos460/project.html http://www.megasecurity.org/trojans/m/minicom/Minicom3.5.html http://mail.nl.linux.org/xchat-discuss/2002-02/msg00163.html You can try to disable "Zebra protocol" and see if the packets just looks as TCP packets or if they are dissected by a heursitic dissector or based on the other port number. However my guess is that they will look as TCP packets, since it may be a protocol that isn't implemented in Ethereal or will not be automatically dissected based on heursitics. You probably have to look into if the packet hex data could give any more clues of what protcol it is (maybe you can see some text in the packet) an maybe also check what programs are running on the workstation and if they are configured or hardcoded to use port number 2600. You can maybe stop different programs one at a time and check with netstat printout to determine what lsitening ports are used by different programs.
