SUMMARY: Identifying Unknown Host/Device on Network

From: Tim Evans (oss670!tkevans@cs.umd.edu)
Date: Mon Apr 22 1991 - 15:58:44 CDT


My original question:

I'm running traffic(1C) and the Dst histogram is showing a large
amount of traffic from an unknown host/device. Normally, traffic
displays hostnames (if known) or hex IP addressess (if not known).
However, in this case, neither is shown.

My network is a mixed TCP/IP, XNS, and Novell one, and I suspect
that the problem is either a Novell server or client, or a bad
bridge or repeater. Is there any way of tracing this aside from
a Sniffer?

Thanks to the many, many (too many to list) who recommended
etherfind(8C). Special thanks to Dave Williams
(exudnw@exurchn1.ericsson.se) for a list of vendor address
codes for ethernet hardware.

I used etherfind, and found a steady stream of still-unidentifiable
packets, with hardware addresses that don't fit any of the
vendors and not-immediately-recognizable protocol types. Here
are the first few packets, generated with:

        etherfind -x -t ! -ip

Note that:

o proto is "old PUP"

o source and destination addresses (always the same
        pair) are not on my vendor list

o packets are at regular intervals;

o packet length and content appear to be identical

                                                  icmp type
       lnth proto source destination src port dst port
 0.00 68 old PUP 0:0:b0:0:13:11 -> 1:0:b0:0:1:0
 01 00 b0 00 01 00 00 00 b0 00 13 11 02 00 02 01
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa 00 00 00 00
 00 00 00 00

 0.10 68 old PUP 0:0:b0:0:13:11 -> 1:0:b0:0:1:0
 01 00 b0 00 01 00 00 00 b0 00 13 11 02 00 02 01
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa 00 00 00 00
 00 00 00 00

 0.20 68 old PUP 0:0:b0:0:13:11 -> 1:0:b0:0:1:0
 01 00 b0 00 01 00 00 00 b0 00 13 11 02 00 02 01
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa 00 00 00 00
 00 00 00 00

 0.30 68 old PUP 0:0:b0:0:13:11 -> 1:0:b0:0:1:0
 01 00 b0 00 01 00 00 00 b0 00 13 11 02 00 02 01
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
 aa aa aa aa aa aa aa aa aa aa aa aa 00 00 00 00
 00 00 00 00

Please reply via E-mail to the address *BELOW* or the Reply-To:

--
INTERNET	tkevans%woodb@mimsy.umd.edu
UUCP 		...!{rutgers|ames|uunet}!mimsy!woodb!tkevans
US MAIL		6401 Security Blvd, 2-Q-2 Operations, Baltimore, MD  21235	
PHONE		(301) 965-3286

-- INTERNET tkevans%woodb@mimsy.umd.edu UUCP ...!{rutgers|ames|uunet}!mimsy!woodb!tkevans US MAIL 6401 Security Blvd, 2-Q-2 Operations, Baltimore, MD 21235 PHONE (301) 965-3286



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:13 CDT