Tomás Mac Eoin wrote:
What is the Difference between the Ethernet II source and the Internet
Protocol Source.
The Ethernet II source is the Ethernet address of a machine on the
Ethernet segment on which you're capturing; that machine is the machine
that transmitted the packet on that Ethernet segment.
The Internet Protocol source is the IP address of the machine that
originally transmitted the packet; it is not necessarily the same
machine as the one that transmitted the packet on that Ethernet segment,
because the packet might have been routed to your network through one or
more routers - if so, the Ethernet II source of the packet would be the
Ethernet II address of the router that put the packet on your network.
I am seeing lots of TCP Port 135 packates on out network.
Well, in theory, that should just be normal DCE/RPC (including Microsoft
RPC) "endpoint resolution" - but there are Windows viruses that attempt
to exploit a buffer overflow in some versions of Microsoft's MSRPC
endpoint resolver, such as the Blaster worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html
and the Welchia worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
so it *might* also be virus traffic.
However the Ethernet II Src IP address is different from the Ethernet
Protocol Source address.
The Ethernet II Src address is belonging to our network
If by "our network" you mean the complete network at your site (which
might have more than one Ethernet segment), it's probably not just your
network, but the particular segment of your network on which your packet
was transmitted, or a segment bridged to that segment; packets, when
routed by a network-layer protocol such as IP or IPX, don't keep the
same Ethernet source address (especially if they're routed to a
non-Ethernet network :-)).
while the
Ethernet Protocol src Address is from an external network.
If by "external network" you mean a network other than ICE
Communications' network, or a network for another department in ICE
Communications, that means that the packet was, in fact, routed (as I
suspected). If it's another department, tell them about it, and warn
them that they might have infected machines. If it's from outside ICE
Communications, somebody out there on the Internet has an infected
Windows machine (there are a *LOT* of infected Windows machines out
there in the world - and Blaster and Welchia are relatively "old news"
at this point) and has either found your IP address or is just randomly
trying IP addresses and happened to find yours.
The Destination address of both is the same and is located on our network.
The addresses can't possibly be the same, as Ethernet addresses are 6
octets while IPv4 addresses are 4 octets and IPv6 addresses are 16
octets; however, the names corresponding to the addresses could be the
same, as the hosts with those addresses could be the same, if you're
capturing on the network segment to which the destination host is
connected, as, if that's the case, no more routing is required, and the
router is transmitting the packet to its final destination.
