Hi All,
It's been a while since I've followed this list, but I've checked the
archives and have only found things that I've already tried.
I've come across a problem that I'm trying to narrow down. Allow me to
explain:
We are supposed to have an Intrusion Protection System which, as part of
many things, blocks UDP/0 traffic.
However, inside our network I am seeing traffic that appears to come
from the outside, crossing our IPS, that has both source and destination
on port UDP/0. The tools with which I have seen this type of traffic is
via matches on an IP access list with Cisco IOS and through a Netflow
collector application.
However, when I attach a sniffer running Wireshark (both under Windows
and Linux) to a span (mirror) port on a Cisco switch for where the
traffic should be going through to reach it's destination (according to
the Netflow application) I don't appear to capture any of the traffic
that is being identified.
My monitor session configuration looks like:
monitor session 1 source interface Gi0/1
monitor session 1 destination interface Gi0/3 encapsulation replicate
I have also tried:
monitor session 1 source interface Gi0/1
monitor session 1 destination interface Gi0/3
Gi0/1 connects to the router from which Netflow data is being collected.
Gi00/3 is where Wireshark is connected.
With Wireshark I have tried the following capture filters (it's not
feasible to capture all the traffic on this port)
vdp port 0
vlan and udp port 0
I just don't seem to see any of the traffic that is being reported by
the netflow collector or the Cisco IOS access-list matches, these appear
as so:
Extended IP access list 101 (Compiled)
5 permit udp any any eq 0 (18422 matches)
I realise that as it is UDP traffic that it is possible that the traffic
is spoofed and one might think that it could be coming from a different
interface, but Netflow records the ingress and egress ports of the
traffic and I should be seeing something in Wireshark... but I am not...
:-(
Does anyone have any ideas?
My apologies for not lurking longer on the list before posting.
Giles
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
