:-* Hi, I am new to network security issues, and my small office network experiencing weird ethernet transmission, the network is connected with the internet via switches using ADSL line, when I use ethereal (great utility from www.ethereal.com) to capture the packets, it showed that every 2 second, a network device with mac address 00:c0:a8:86:5f:0f produced by GVC Corporation sent STP data transmission (Spanning Tree for Bridges). Here is the captured packets:
No. Time Source Destination Protocol Info
12 0.491887 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
43 2.505874 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
74 4.504940 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
105 6.507658 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
136 8.435222 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
167 10.439153 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
198 12.529418 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
229 14.541859 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
and in every interval between two frames (2++ seconds interval), there were packets of unknown ethernet protocol (0xFFE2).
No. Time Source Destination Protocol Info
1 0.000000 C-Com_02:01:a4 C-Com_05:00:9a 0xffe2 Ethernet II
2 0.026501 C-Com_02:01:a4 C-Com_05:00:9a 0xffe2 Ethernet II
3 0.130831 C-Com_02:03:b5 C-Com_05:00:9a 0xffe2 Ethernet II
4 0.152233 C-Com_02:03:b5 C-Com_05:00:9a 0xffe2 Ethernet II
5 0.226649 C-Com_02:03:b5 C-Com_05:00:9a 0xffe2 Ethernet II
6 0.322955 C-Com_02:01:95 C-Com_05:00:9a 0xffe2 Ethernet II
7 0.350921 C-Com_02:01:95 C-Com_05:00:9a 0xffe2 Ethernet II
8 0.377430 C-Com_02:01:95 C-Com_05:00:9a 0xffe2 Ethernet II
9 0.521892 C-Com_02:01:b8 C-Com_05:00:9a 0xffe2 Ethernet II
10 0.543282 C-Com_02:01:b8 C-Com_05:00:9a 0xffe2 Ethernet II
11 0.569788 C-Com_02:01:b8 C-Com_05:00:9a 0xffe2 Ethernet II
12 0.610892 C-Com_02:01:66 C-Com_05:00:9a 0xffe2 Ethernet II
13 0.632290 C-Com_02:01:66 C-Com_05:00:9a 0xffe2 Ethernet II
Please someone give me a light on this issue. Thank you very much. ???
Spanning Tree Protocol (802.1d and 802.1w) is used by switches to prevent routing loops on networks with more than one path between segments. What you are seeing is a switch sending out its current STP knowledge to other switches that are running STP. The protocol determines which of the various switches on a network will disable their ports in order to prevent routing loops. The default STP "ping" rate is every two seconds.
As for your second set of captures, please post a complete packet capture (including the ethernet frame headers) from one or two of the packets. The OxFFE2 is not a registered Ethernet "type." Maybe by looking at the contents we can figure out what it is?
-MoleRat
Just a small correction though... STP is used to prevent SWITCHING loops... not ROUTING loops... that would be Split Horizon for routing loops... and the ports are not disabled, they are put in either forwarding or blocking state, but the interfaces are still up... ;)
:D Hi, MoleRat, Uneek, thanks for your replies, the unknown packets were sent repeatedly using 3 kinds of length, 596 bytes, 724 byte, and 1172 bytes, these packets came from 6 devices to 1 devices simultaneously, within 1 minutes almost 1 MB were captured. Here's the sample packets. Is it some kind of attack?
No. Time Source Destination Protocol Info
467 30.509368 C-Com_02:03:b5 C-Com_05:00:9a 0xffe2 Ethernet II
Frame 467 (596 bytes on wire, 596 bytes captured)
Arrival Time: Feb 17, 2005 06:45:29.407635000
Time delta from previous packet: 0.021643000 seconds
Time since reference or first frame: 30.509368000 seconds
Frame Number: 467
Packet Length: 596 bytes
Capture Length: 596 bytes
Ethernet II, Src: 00:01:eb:02:03:b5, Dst: 00:01:eb:05:00:9a
Destination: 00:01:eb:05:00:9a (C-Com_05:00:9a)
Source: 00:01:eb:02:03:b5 (C-Com_02:03:b5)
Type: Unknown (0xffe2)
Data (582 bytes)
0000 00 01 eb 05 00 9a 00 01 eb 02 03 b5 ff e2 44 02 ..............D.
0010 00 00 06 10 c4 00 01 00 52 ac 36 04 52 ac 36 04 ........R.6.R.6.
0020 00 00 00 00 91 00 00 00 52 ac 36 04 52 ac 36 04 ........R.6.R.6.
0030 01 00 00 00 00 00 00 00 c6 00 02 00 0f c0 27 02 ..............'.
0040 0f c0 27 02 00 00 00 00 93 0a 00 00 0f c0 27 02 ..'...........'.
0050 0f c0 27 02 04 00 00 00 04 00 00 00 00 00 03 00 ..'.............
0060 0e cc 36 04 0e cc 36 04 00 00 00 00 02 00 00 00 ..6...6.........
0070 0e cc 36 04 0e cc 36 04 00 00 00 00 00 00 00 00 ..6...6.........
0080 63 ed 04 00 81 09 08 01 81 09 08 01 00 00 00 00 c...............
0090 19 26 00 00 81 09 08 01 81 09 08 01 12 00 00 00 .&..............
00a0 1c 00 00 00 00 00 05 00 35 23 25 00 35 23 25 00 ........5#%.5#%.
00b0 00 00 00 00 ce 0a 00 00 35 23 25 00 35 23 25 00 ........5#%.5#%.
00c0 03 00 00 00 05 00 00 00 3d 00 06 00 4d ce b9 00 ........=...M...
00d0 4d ce b9 00 00 00 00 00 0f 05 00 00 4d ce b9 00 M...........M...
00e0 4d ce b9 00 04 00 00 00 02 00 00 00 00 00 07 00 M...............
00f0 a4 1f f5 02 a4 1f f5 02 00 00 00 00 21 14 00 00 ............!...
0100 a4 1f f5 02 a4 1f f5 02 06 00 00 00 08 00 00 00 ................
0110 70 cf 08 00 e3 26 55 00 67 07 55 00 4c 4f 00 00 p....&U.g.U.LO..
0120 79 08 00 00 67 07 55 00 e3 26 55 00 06 00 00 00 y...g.U..&U.....
0130 07 00 00 00 00 00 09 00 5f 9a 02 00 5f 9a 02 00 ........_..._...
0140 00 00 00 00 8b 01 00 00 5f 9a 02 00 5f 9a 02 00 ........_..._...
0150 01 00 00 00 0f 02 00 00 9f a7 0a 00 27 58 27 01 ............'X'.
0160 27 58 27 01 00 00 00 00 7c 0e 00 00 27 58 27 01 'X'.....|...'X'.
0170 27 58 27 01 09 00 00 00 bb 00 00 00 0e 00 0b 00 'X'.............
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 de 23 0c 00 d4 d6 5c 00 d4 d6 5c 00 00 00 00 00 .#....\...\.....
01b0 6b 01 00 00 d4 d6 5c 00 d4 d6 5c 00 00 00 00 00 k.....\...\.....
01c0 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 ................
01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0 00 00 00 00 00 00 00 00 d6 72 0e 00 9a 7b 9c 00 .........r...{..
01f0 9a 7b 9c 00 00 00 00 00 ce 0c 00 00 9a 7b 9c 00 .{...........{..
0200 9a 7b 9c 00 0a 00 00 00 05 00 00 00 6b 22 0f 00 .{..........k"..
0210 9a f9 7c 00 9a f9 7c 00 00 00 00 00 90 00 00 00 ..|...|.........
0220 9a f9 7c 00 9a f9 7c 00 00 00 00 00 00 00 00 00 ..|...|.........
0230 f3 d7 10 00 cc b4 48 00 cc b4 48 00 00 00 00 00 ......H...H.....
0240 e9 11 00 00 cc b4 48 00 cc b4 48 00 06 00 00 00 ......H...H.....
0250 0c 00 00 00 ....
No. Time Source Destination Protocol Info
468 30.535633 C-Com_02:03:b5 C-Com_05:00:9a 0xffe2 Ethernet II
Frame 468 (724 bytes on wire, 724 bytes captured)
Arrival Time: Feb 17, 2005 06:45:29.433900000
Time delta from previous packet: 0.026265000 seconds
Time since reference or first frame: 30.535633000 seconds
Frame Number: 468
Packet Length: 724 bytes
Capture Length: 724 bytes
Ethernet II, Src: 00:01:eb:02:03:b5, Dst: 00:01:eb:05:00:9a
Destination: 00:01:eb:05:00:9a (C-Com_05:00:9a)
Source: 00:01:eb:02:03:b5 (C-Com_02:03:b5)
Type: Unknown (0xffe2)
Data (710 bytes)
0000 00 01 eb 05 00 9a 00 01 eb 02 03 b5 ff e2 c4 02 ................
0010 00 00 06 10 c5 00 01 00 04 00 00 00 01 00 00 00 ................
0020 00 00 00 00 c4 2c 5b 00 05 0a a9 00 00 00 00 00 .....,[.........
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 0f c0 02 00 4e 00 00 00 08 00 00 00 00 00 00 00 ....N...........
0050 8a f5 b8 00 c4 20 18 01 00 00 00 00 00 00 00 00 ..... ..........
0060 3b c7 36 04 00 00 00 00 00 00 00 00 02 00 03 00 ;.6.............
0070 00 00 00 00 00 00 00 00 00 00 00 00 0c a7 4f 00 ..............O.
0080 6a 4b 2a 01 00 00 00 00 00 00 00 00 00 00 00 00 jK*.............
0090 00 00 00 00 00 00 00 00 81 09 04 00 be 00 00 00 ................
00a0 15 00 00 00 00 00 00 00 6d 4f 19 00 9a 76 30 00 ........mO...v0.
00b0 00 00 00 00 00 00 00 00 35 23 25 00 00 00 00 00 ........5#%.....
00c0 00 00 00 00 05 00 05 00 35 00 00 00 06 00 00 00 ........5.......
00d0 00 00 00 00 30 a4 08 00 60 00 30 00 00 00 00 00 ....0...`.0.....
00e0 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 d1 1a 06 00 10 00 00 00 01 00 00 00 00 00 00 00 ................
0100 06 8b 0d 00 84 40 2b 00 00 00 00 00 00 00 00 00 .....@+.........
0110 5b cf 08 00 00 00 00 00 00 00 00 00 4c 4f 07 00 [...........LO..
0120 64 00 00 00 07 00 00 00 00 00 00 00 e0 ac 4d 04 d.............M.
0130 10 d3 5e 04 00 00 00 00 00 00 00 00 5f 9a 02 00 ..^........._...
0140 00 00 00 00 00 00 00 00 5f 9a 08 00 57 00 00 00 ........_...W...
0150 04 00 00 00 00 00 00 00 fa 82 00 00 13 c1 01 00 ................
0160 00 00 00 00 00 00 00 00 7c 0e 00 00 00 00 00 00 ........|.......
0170 00 00 00 00 09 00 09 00 21 00 00 00 0e 00 00 00 ........!.......
0180 00 00 00 00 55 13 01 00 92 83 02 00 00 00 00 00 ....U...........
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 de 23 0a 00 65 00 00 00 06 00 00 00 00 00 00 00 .#..e...........
01b0 3c 28 0e 00 3d 60 18 00 00 00 00 00 00 00 00 00 <(..=`..........
01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 ................
01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0 00 00 00 00 00 00 00 00 00 00 00 00 9a 7b 9c 00 .............{..
01f0 00 00 00 00 00 00 00 00 ce 0c 0c 00 06 00 00 00 ................
0200 00 00 00 00 00 00 00 00 20 35 00 00 6b 22 01 00 ........ 5..k"..
0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0220 00 00 00 00 9a f9 0d 00 00 00 00 00 00 00 00 00 ................
0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0240 00 00 00 00 cc b4 48 00 00 00 00 00 00 00 00 00 ......H.........
0250 0c 00 0e 00 46 00 00 00 07 00 00 00 00 00 00 00 ....F...........
0260 4c de 0a 00 f0 5b a0 00 00 00 00 00 00 00 00 00 L....[..........
0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 ................
0280 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0290 0d d3 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 ................
02a0 00 00 00 00 00 00 00 00 18 00 10 00 5b 00 00 00 ............[...
02b0 09 00 00 00 00 00 00 00 dd f9 13 00 e7 54 c8 00 .............T..
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02d0 00 00 00 00 ....
And this is detail packet of the STP transmission:
No. Time Source Destination Protocol Info
74 4.504940 Gvc_86:5f:0f Spanning-tree-(for-bridges)_00 STP Conf. Root = 0/00:80:00:00:80:2d Cost = -1610358528 Port = 0xa003
Frame 74 (74 bytes on wire, 74 bytes captured)
Arrival Time: Feb 19, 2005 03:44:28.309052000
Time delta from previous packet: 0.008260000 seconds
Time since reference or first frame: 4.504940000 seconds
Frame Number: 74
Packet Length: 74 bytes
Capture Length: 74 bytes
IEEE 802.3 Ethernet
Destination: 01:80:c2:00:00:00 (Spanning-tree-(for-bridges)_00)
Source: 00:c0:a8:86:5f:0f (Gvc_86:5f:0f)
Length: 74
Logical-Link Control
DSAP: Spanning Tree BPDU (0x42)
IG Bit: Individual
SSAP: Spanning Tree BPDU (0x42)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Spanning Tree Protocol
Protocol Identifier: Unknown (0x4242)
Protocol Version Identifier: Multiple Spanning Tree (3)
BPDU Type: Configuration (0x00)
BPDU flags: 0x00
0... .... = Topology Change Acknowledgment: No
.... ...0 = Topology Change: No
Root Identifier: 0 / 00:80:00:00:80:2d
Root Path Cost: 2684608768
Bridge Identifier: 0 / 00:80:00:00:80:2d
Port identifier: 0xa003
Message Age: 225.5
Max Age: 7
Hello Time: 0.078125
Forward Delay: 0.0078125
0000 01 80 c2 00 00 00 00 c0 a8 86 5f 0f 00 4a 42 42 .........._..JBB
0010 03 42 42 03 00 00 00 00 00 80 00 00 80 2d a0 03 .BB..........-..
0020 e1 00 00 00 00 80 00 00 80 2d a0 03 e1 80 07 00 .........-......
0030 00 14 00 02 00 0f 00 aa aa aa aa aa aa aa aa 00 ................
0040 00 00 00 00 00 00 00 00 00 00 ..........
Looks like standard STP traffic to me unless I'm missing something...
Yeah, give up on this as an 'issue.' This is just STP traffic that isnt actually DOING anything since you arent part of a loop....
Wilnix
This is so dated, but I am awake, doing laundry, and I DONT CARE!!!