Ethereal ?

Discuss Networking
Post Reply
moto526
scripter
scripter
Posts: 99
Joined: Tue Jun 13, 2006 11:59 pm
Location: California
Contact:

Ethereal ?

Post by moto526 » Sun Jul 02, 2006 2:34 pm

Void do you know how to read the ethereal capture to see what is going on with my network? I want someone to look at it and tell me if everything is ok...

The reason I am looking at this is I see some different IP's in there and I don't know what that is....

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Jul 02, 2006 4:31 pm

I use Ethereal on a daily basis but I don't use it to determine the overall health of a network. I use it to look for specific things, either for trouble-shooting a problem with a host/network device or for security reasons (watch the traffic from a spefic host). Are you saying you are seeing IP addresses on your network that you can not account for? There is no way I could tell you by looking at the capture what IP addresses are yours, that's something you would need to figure out, unless I'm missing something in your question. I could help you with questions about how to use Ethereal if you run into something you don't understand.

moto526
scripter
scripter
Posts: 99
Joined: Tue Jun 13, 2006 11:59 pm
Location: California
Contact:

Post by moto526 » Sun Jul 02, 2006 4:53 pm

Yea, I am seeing a source IP that is not my IP or an internal network IP.

The reason I am watching with ethereal is because my windows server just restarted and I didn't do it so I wanted to see if someone remotely hacked my box.

My problem is I don't know what some of the info is and I am totally new to ethereal so I am not sure as to what I should be watching out for.

I hope that helps get across what I am trying to do.

moto526
scripter
scripter
Posts: 99
Joined: Tue Jun 13, 2006 11:59 pm
Location: California
Contact:

Post by moto526 » Sun Jul 02, 2006 4:56 pm

Screen shot
Image

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Jul 02, 2006 5:20 pm

I see what looks like someone on your network with an IP of 192.168.1.101 checking their Google mail. Or is it not the Google addresses you are concerned about? Which particular packets don't look right to you?

moto526
scripter
scripter
Posts: 99
Joined: Tue Jun 13, 2006 11:59 pm
Location: California
Contact:

Post by moto526 » Sun Jul 02, 2006 7:49 pm

No what I am wonderering about is the 216... IP being the source.

What the heck it that IP doing in the source colum?

Look at line 7, what is it doing?? Check the info. I don't get that.

Line 18 is a question mark for me also... That IP is messing with something right?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Jul 02, 2006 8:04 pm

It would be pretty hard to read your mail if you never got any packets back from your mail host. That is a google mail server and those are reply packets. What you are seeing is a normal conversation. Now, if you don't have Google mail and you didn't have your browser open to it at the time of the sniff then you might have something to worry about. But here's how the conversation goes:

You:RandomSourcePort -> GoogleMail:80
GoogleMail:80 -> You:RandomSourcePort

That's how networking works. If you want to see the entire conversation right click on that first packet and click "Follow TCP stream". I think you'll understand a little more. You might what to do some searching for some basic TCP/IP networking tutorials. Here's a good jumping off point:

http://en.wikipedia.org/wiki/OSI_model
http://en.wikipedia.org/wiki/Internet_protocol_suite
http://en.wikipedia.org/wiki/Transmissi ... l_Protocol
http://en.wikipedia.org/wiki/User_Datagram_Protocol

Post Reply