[isalist] Re: Help reading an ethereal capture
- From: "Steve diMascio" <Steve@xxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 17 Nov 2006 17:12:22 -0000
http://www.ISAserver.org
-------------------------------------------------------
Hi Jim, I ran defender and spybot search&destroy on the workstation and
both came up clean, (apart from vnc), the workstation is fully patched
and is running trend CSM. Personally id send you the capture in a second
but the owner is paranoid, (I think that's the right word) if I haven't
figured it out soon I may have to admit defeat and rebuild the
workstation, that's not the problem though, if he "wins", I'm going to
have to remove the FWC's , and I don't want to go there. Thanks for the
gut feeling though, ill carry on this track for a bit longer.
Hi Tom, if any user in the domain sends this user an email it takes
around 5 minutes to get to this user, if anyone sends an email to a
distribution group that this user is a member of, everyone else has
received the email (and received their cup of tea ;-) by the time this
user gets the email.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 17 November 2006 16:50
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Help reading an ethereal capture
http://www.ISAserver.org
-------------------------------------------------------
This smells more like malware than anything else.
Mind sending the whole capture?
You can send to me privately if you want.
MS NDA applies, of course.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve diMascio
Sent: Friday, November 17, 2006 08:46
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Help reading an ethereal capture
http://www.ISAserver.org
-------------------------------------------------------
I'm trying to solve a problem I'm having with one of my workstations
that intermittently takes ages to receive email, even from local users,
(around 5 minutes anyway). The company owner thinks its a firewall
client issue, as he never used them in the past but since I installed
the FWC on every workstation this has happened (only to one of the
workstations) - that's the whole of his "theory". I don't think its a
FWC issue but since I haven't been able to give a definite reason, or
prove its not the FWC he's sticking to his "theory".
Its an SBS2k3 network 40 workstations 2 member servers (1 is voip the
other a TS), obviously exchange and ISA is on the SBS box, although I'm
planning on moving ISA to its own hardware over the Christmas break.
I've taken a network capture but am pretty useless at reading them. So I
compared the capture to a capture taken on a working desktop and the
only differences I can see between them are the one that doesn't work
has hundreds of lines like this.
Source 10.0.0.135
Destination 0.0.0.0
Protocol TCP
Info 33037 > 0 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
There are litterally hundreds of these in a 6 minute capture.
The frame number goes up by 1 and the source port changes randomly
(seemingly), I've search google but haven't found anything that tells me
what this traffic is. Can anyone point me in the right direction, or
have any good references for reading ethereal captures ?
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
