Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Wierd packets on Sonicwall

Posted on 2011-03-20
4
Medium Priority
?
6,981 Views
Last Modified: 2012-05-11
I see some wierd ethernet packets on my packet monitor in the sonicwall..

Ethernet Header
 Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]
DROPPED, Drop Code: 1, Module Id: 17, (Ref.Id: _2101_kprwvJqqm) 1:1)

Anybody an idea where this could be comming from?
0
Comment
Question by:socom1985
4 Comments
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 35175355
find out what devices belong to the MAC addresses

also search Sonicwall site for drop code table for your firmware version - (do not use tables from other firmware versions)

Ether Type 0x32 appears to be IPSec ESP packet - SW should recognize ESP unless it is a malformed packet...

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers 
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 2000 total points
ID: 35176247
IP Protocols are not at layer 2, but layer 3, so the EtherType will never be 0x32

Well, what you are seeing is layer 2 traffic and you should NOT see 0x32 in the EtherType, typical values will be ARP and IP (0x0806, 0x0800)

Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]

The reason you are seeing 'Unknown' is that there is no EtherType of 0x32:
http://www.cavebear.com/archive/cavebear/Ethernet/type.html

The fact that the destination MAC is 01:00:0c:cc:cc:cd and that the EtherType is 0x32 is a host is crafting packets with this information or you are running into some time of bug on the firewall or something else in the path between the host and firewall; additionally, as already stated, the malformed packet is from a hardware issue from a device in path.

If the MAC is not being spoofed, you will need to log into your switches and locate which switchport the mac is located on:
00:1e:f6:c2:1b:15

Billy
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35406654
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

[Webinar] Cloud Security

In this webinar you will learn:

-Why existing firewall and DMZ architectures are not suited for securing cloud applications
-How to make your enterprise “Cloud Ready”, and fix your aging DMZ architecture
-How to transform your enterprise and become a Cloud Enabler

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question