I finally got
simplistic network monitor/dumping program, working under Linux kernels
higher than 2.2. I wrote it a few years ago, both as an educational
experience, and as a tool to see what activity existed on the network at
work. I like it better than
because it shows the traffic in real time with a concise summary:
S:02608CD87517 D:0014BF4DECE5 ARP A:request ETH:IPv4 10.0.0.1 10.0.0.160 S:0014BF4DECE5 D:02608CD87517 ARP A:reply ETH:IPv4 10.0.0.160 10.0.0.1 S:02608CD87517 D:000D935D6D86 ARP A:request ETH:IPv4 10.0.0.1 10.0.0.13 S:000D935D6D86 D:02608CD87517 ARP A:reply ETH:IPv4 10.0.0.13 10.0.0.1 S:0040332E103C D:02608CD87517 IPv4 S:10.0.0.3 D:10.0.0.1 UDP S:NTP D:NTP 62 S:02608CD87517 D:0040332E103C IPv4 S:10.0.0.1 D:10.0.0.3 UDP S:NTP D:NTP 62 S:0014BF4DECE5 D:02608CD87517 IPv4 S:10.0.0.160 D:220.127.116.11 UDP S:(10000) D:(10000) S:02608CD87517 D:0014BF4DECE5 IPv4 S:18.104.22.168 D:10.0.0.160 UDP S:(10000) D:(10000) S:0040332E103C D:000D935D6D86 ARP A:request ETH:IPv4 10.0.0.3 10.0.0.13 S:000D935D6D86 D:0040332E103C ARP A:reply ETH:IPv4 10.0.0.13 10.0.0.3 S:000D935D6D86 D:0040332E103C IPv4 S:10.0.0.13 D:10.0.0.3 TCP AP S:(52643) D:SSH 58 S:0040332E103C D:000D935D6D86 IPv4 S:10.0.0.3 D:10.0.0.13 TCP A S:SSH D:(52643) 10 S:000D935D6D86 D:0040332E103C IPv4 S:10.0.0.13 D:10.0.0.3 TCP AP S:(52643) D:SSH 58
That's the output from my home network for a few seconds of activity. I find it interesting to see the traffic that floats across the network, and I've already found some interesting stuff at work—like the Cisco router one of our customers is running (he forgot to turn off the Cisco Discovery Protocol, and it's leaking out onto our network), or the ICMP router discovery packets (again, from said customer), IGMP packets (from yet a different customer with a talkative router), the Spanning Tree Protocol the various switches use to communicate, and then there's the weird stuff.
S:00E0B0641863 D:00E0B0641863 (9000) 60
And then there's:
S:00E0B0641862 D:AB0000020000 DNARC 63
I have this as the “DEC DNA Remote console,” but as far as I know, we have no DEC equipment anywhere on our network. And from the looks of it, both alien packets derive from the same (or similar) equipment, but the really odd thing about this (as if things weren't weird enough) is that I can't reconcile the locations I saw these two packets—different segments of our network (i.e. the network segment I saw the first wierd packet is physically disjointed from the network segment I saw the second weird packet).
I wonder …
Did I perhaps discover the mysterious Halloween Packets?
What was that noise?
It came from the wiring closet—
Excuse me while I go check it out.