[isalist] Re: Help reading an ethereal capture

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Fri, 17 Nov 2006 10:09:19 -0800

http://www.ISAserver.org
-------------------------------------------------------

Single frames have no real meaning.
That's why I said "smells like".

This behavior *must* be examined in the context of the entire capture. 
If you need help, you have to provide data.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve diMascio
Sent: Friday, November 17, 2006 09:34
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Help reading an ethereal capture

http://www.ISAserver.org
-------------------------------------------------------
  
I just took another capture, a little longer this time, and got this which is 
also not showing on the known good workstation.

Source          10.0.0.135
Destination             10.0.0.214
Protocol        TCP
Info            4454 > microsoft-ds [SYN] Seq=0 Len=0 MSS=1460


occasionally info changes to <random number> > 280 [SYN] Seq=0 Len=0 MSS=1460

Any help, thoughts or shots in the dark would be very gratefully received. As 
would any good recommendations for books on learning how to read these captures.



-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 17 November 2006 16:50
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Help reading an ethereal capture

http://www.ISAserver.org
-------------------------------------------------------
  
This smells more like malware than anything else.
Mind sending the whole capture?
You can send to me privately if you want.
MS NDA applies, of course.


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve diMascio
Sent: Friday, November 17, 2006 08:46
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Help reading an ethereal capture

http://www.ISAserver.org
-------------------------------------------------------
  
I'm trying to solve a problem I'm having with one of my workstations that 
intermittently takes ages to receive email, even from local users, (around 5 
minutes anyway). The company owner thinks its a firewall client issue, as he 
never used them in the past but since I installed the FWC on every workstation 
this has happened (only to one of the
workstations) - that's the whole of his "theory". I don't think its a FWC issue 
but since I haven't been able to give a definite reason, or prove its not the 
FWC he's sticking to his "theory". 

Its an SBS2k3 network 40 workstations 2 member servers (1 is voip the other a 
TS), obviously exchange and ISA is on the SBS box, although I'm planning on 
moving ISA to its own hardware over the Christmas break.

I've taken a network capture but am pretty useless at reading them. So I 
compared the capture to a capture taken on a working desktop and the only 
differences I can see between them are the one that doesn't work has hundreds 
of lines like this.

Source          10.0.0.135
Destination     0.0.0.0
Protocol        TCP
Info            33037 > 0 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0

There are litterally hundreds of these in a 6 minute capture.

The frame number goes up by 1 and the source port changes randomly (seemingly), 
I've search google but haven't found anything that tells me what this traffic 
is. Can anyone point me in the right direction, or have any good references for 
reading ethereal captures ?
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• References:
  • [isalist] Re: Help reading an ethereal capture
    • From: Steve diMascio

Other related posts:

• » [isalist] Help reading an ethereal capture
• » [isalist] Re: Help reading an ethereal capture
• » [isalist] Re: Help reading an ethereal capture
• » [isalist] Re: Help reading an ethereal capture
• » [isalist] Re: Help reading an ethereal capture
• » [isalist] Re: Help reading an ethereal capture
• » [isalist] Re: Help reading an ethereal capture
• » [isalist] Re: Help reading an ethereal capture

1. Home
2. isalist
3. Archive
4. 11-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---