Ethereal

RE: [Ethereal-users] sniffing for welchia
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: January 2004

 

> >>> "Bert Wilder Jr." <bertwilder@xxxxxxxxx> 01/08/04 09:17AM >>>
> I'm trying to find Welchia on our network...I have
> recently downloaded the Ethereal software and scanning
> for:  tcp port 135 and host x.x.x.x (The host being a
> new computer on the network that doesn't have the
> patch installed).  Theoretically, I can use this
> filter and wait for this computer to get the Welchia
> virus...At tha poing, after running the Welchia
> removal tool and verifying that the machine did in
> fact get Welchia, I can check the sniffer and see what
> ip addresses on our network were communicating with
> the tcp port 135 on this machine.  Well, this doesn't
> appear to be working...I have been sniffing the
> network and this machine using filters like:  icmp and
> host x.x.x.x, tcp port 135 and so forth...The machine
> is getting infected with Welchia, but no information
> is given from Ethereal...I guess I could just scan the
> entire network traffice with no filter, but that would
> be painstaking to go back through all of the
> communication and look for that machine...Anybody have
> any ideas?  We have patched every machine on the
> network as well as running the removal tool, I
> believe...We also have the Symantec Corporate
> Antivirus on all the machines as well...There is
> probably on machine out there that is getting infected
> that we missed...Thanks in advance for any support you
> can give...Thanks!

Running Ethereal on the machine that gets infected is probably a good idea.
Then you don't need to run in promiscuous mode, and the traffic thoughput
will be much smaller.

-- 
Richard Urwin, Software Design Engineer
Schenck Test Automation
Braemar Court, 1311b Melton Road, Syston, UK.
rurwin@xxxxxxxxxxxxxx

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.