Solved

Wierd packets on Sonicwall

Posted on 2011-03-20
4
6,044 Views
Last Modified: 2012-05-11
I see some wierd ethernet packets on my packet monitor in the sonicwall..

Ethernet Header
 Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]
DROPPED, Drop Code: 1, Module Id: 17, (Ref.Id: _2101_kprwvJqqm) 1:1)

Anybody an idea where this could be comming from?
0
Comment
Question by:socom1985
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 35175355
find out what devices belong to the MAC addresses

also search Sonicwall site for drop code table for your firmware version - (do not use tables from other firmware versions)

Ether Type 0x32 appears to be IPSec ESP packet - SW should recognize ESP unless it is a malformed packet...

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers 
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 35176247
IP Protocols are not at layer 2, but layer 3, so the EtherType will never be 0x32

Well, what you are seeing is layer 2 traffic and you should NOT see 0x32 in the EtherType, typical values will be ARP and IP (0x0806, 0x0800)

Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]

The reason you are seeing 'Unknown' is that there is no EtherType of 0x32:
http://www.cavebear.com/archive/cavebear/Ethernet/type.html

The fact that the destination MAC is 01:00:0c:cc:cc:cd and that the EtherType is 0x32 is a host is crafting packets with this information or you are running into some time of bug on the firewall or something else in the path between the host and firewall; additionally, as already stated, the malformed packet is from a hardware issue from a device in path.

If the MAC is not being spoofed, you will need to log into your switches and locate which switchport the mac is located on:
00:1e:f6:c2:1b:15

Billy
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35406654
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question