Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wierd packets on Sonicwall

Posted on 2011-03-20
4
Medium Priority
?
6,733 Views
Last Modified: 2012-05-11
I see some wierd ethernet packets on my packet monitor in the sonicwall..

Ethernet Header
 Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]
DROPPED, Drop Code: 1, Module Id: 17, (Ref.Id: _2101_kprwvJqqm) 1:1)

Anybody an idea where this could be comming from?
0
Comment
Question by:socom1985
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 35175355
find out what devices belong to the MAC addresses

also search Sonicwall site for drop code table for your firmware version - (do not use tables from other firmware versions)

Ether Type 0x32 appears to be IPSec ESP packet - SW should recognize ESP unless it is a malformed packet...

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers 
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 2000 total points
ID: 35176247
IP Protocols are not at layer 2, but layer 3, so the EtherType will never be 0x32

Well, what you are seeing is layer 2 traffic and you should NOT see 0x32 in the EtherType, typical values will be ARP and IP (0x0806, 0x0800)

Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]

The reason you are seeing 'Unknown' is that there is no EtherType of 0x32:
http://www.cavebear.com/archive/cavebear/Ethernet/type.html

The fact that the destination MAC is 01:00:0c:cc:cc:cd and that the EtherType is 0x32 is a host is crafting packets with this information or you are running into some time of bug on the firewall or something else in the path between the host and firewall; additionally, as already stated, the malformed packet is from a hardware issue from a device in path.

If the MAC is not being spoofed, you will need to log into your switches and locate which switchport the mac is located on:
00:1e:f6:c2:1b:15

Billy
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35406654
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question