Re: [Ethereal-users] sniffing for welchia

["Leonard Miller" <Leonard.Miller@xxxxxxxx>]

what about tcpdump?

tcpdump icmp and dst 135
or
tcpdump -w welcia.cap icmp and dst 135

That should work.  If not let us know

Leonard

>>> "Bert Wilder Jr." <bertwilder@xxxxxxxxx> 01/08/04 09:17AM >>>
I'm trying to find Welchia on our network...I have
recently downloaded the Ethereal software and scanning
for:  tcp port 135 and host x.x.x.x (The host being a
new computer on the network that doesn't have the
patch installed).  Theoretically, I can use this
filter and wait for this computer to get the Welchia
virus...At tha poing, after running the Welchia
removal tool and verifying that the machine did in
fact get Welchia, I can check the sniffer and see what
ip addresses on our network were communicating with
the tcp port 135 on this machine.  Well, this doesn't
appear to be working...I have been sniffing the
network and this machine using filters like:  icmp and
host x.x.x.x, tcp port 135 and so forth...The machine
is getting infected with Welchia, but no information
is given from Ethereal...I guess I could just scan the
entire network traffice with no filter, but that would
be painstaking to go back through all of the
communication and look for that machine...Anybody have
any ideas?  We have patched every machine on the
network as well as running the removal tool, I
believe...We also have the Symantec Corporate
Antivirus on all the machines as well...There is
probably on machine out there that is getting infected
that we missed...Thanks in advance for any support you
can give...Thanks!

Bert