Need Helping Setting Up Security Onion with NIC Bonding
Victor Leon
I have 3 NICs: eth0, eth1, eth2
I have attempted to bond eth1 and eth2 to br0.
I seem to get some traffic coming in on br0 through iftop, but I don't see
anything on snorby or any of the security onion tools.
Eth0 is used for a management interface.
The reason I am bonding eth1 and eth2 is because I am trying to combine
inbound and outbound traffic coming from a passive network tap that I have
created.
I am unsure how to properly configure the interfaces in /etc/network/interfaces
I am not a Linux guru, so be gentle.
Doug Burks
DIY network taps often end up causing many problems. Your best bet is
to use one of the inexpensive taps listed here:
https://code.google.com/p/security-onion/wiki/Hardware
If you use one of those taps, you won't need to worry about NIC bonding.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
Victor Leon
# loopback network interface
auto lo
iface lo inet loopback
# Management network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet manual
up ifconfig $IFACE -arp up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
auto eth2
iface eth2 inet manual
up ifconfig $IFACE -arp up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
auto br0
iface br0 inet manual
bridge_ports eth1 eth2
up ifconfig $IFACE -arp up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
Also, i have set up:
/etc/nsm/sensor1/barnyard2.conf:config interface: br0
/etc/nsm/sensor1/sensor.conf:SENSOR_INTERFACE="br0"
/etc/nsm/sensortab:sensor1 1 7735 br0
When running snorby, It shows the sensor as br0, but i seem to get no events.
Is there anything i might have missed? I was unsure about the interfaces configuration, so i copied the information that the setup does to the br0 interface.
Doug Burks
those files to use br0?
If you run tcpdump on br0, are you seeing the combined traffic from
both eth1 and eth2 as you expect to see? If so, run Setup and see if
it allows you select br0.
Again, if you can spend $40 then you can purchase an inexpensive tap
and avoid this issue altogether.
Victor Leon
I did run tcpdump on br0, eth1, and eth2. I am getting traffic on all 3.
Doug Burks
both eth1 and eth2 as you would expect? If so, try re-running Setup.
When it first asks about configuring /etc/network/interfaces, say no
and skip to the next section. After choosing Quick Setup or Advanced
Setup and it asks which interface(s) to monitor, does it allow you to
select br0?
On Thu, Oct 10, 2013 at 2:32 PM, Victor Leon <victora...@gmail.com> wrote:
> I did change the interfaces file because it won't bridge the interfaces through the setup. After that I copied the configuration on br0 to eth1 and eth2 since those were receiving incoming and outgoing traffic.
>
> I did run tcpdump on br0, eth1, and eth2. I am getting traffic on all 3.
>
Victor Leon
Doug Burks
Setup so that it does all the configuration for br0.
On Thu, Oct 10, 2013 at 2:55 PM, Victor Leon <victora...@gmail.com> wrote:
> I seem to be getting combined traffic from eth1 and eth2. When I go to setup, it does allow me to select br0; but that's only because I manually bridged the interface already and set it to enable on boot with auto.
>
Victor Leon
Doug Burks
sudo sostat
On Thu, Oct 10, 2013 at 3:12 PM, Victor Leon <victora...@gmail.com> wrote:
> I ran through the setup, selecting the br0 sensor. After the setup, I went to http://testmyids.com/ to have events show up on snorby. I see no events.
>
Victor Leon
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
manager manager 10.0.34.158 running 11796 2 10 Oct 18:58:48
proxy proxy 10.0.34.158 running 11847 2 10 Oct 18:58:50
MIS-406250SecOnion-br0-1 worker 10.0.34.158 running 11891 2 10 Oct 18:58:53
Status: MIS-406250SecOnion-br0
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
=========================================================================
Interface Status
=========================================================================
br0 Link encap:Ethernet HWaddr 00:15:5d:22:62:01
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:984 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:117994 (117.9 KB) TX bytes:90 (90.0 B)
eth0 Link encap:Ethernet HWaddr 00:15:5d:22:62:00
inet addr:10.0.34.158 Bcast:10.0.34.255 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe22:6200/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38128 errors:0 dropped:0 overruns:0 frame:0
TX packets:8366 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22636875 (22.6 MB) TX bytes:646977 (646.9 KB)
eth1 Link encap:Ethernet HWaddr 00:15:5d:22:62:01
inet6 addr: fe80::215:5dff:fe22:6201/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:542 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:70129 (70.1 KB) TX bytes:5362 (5.3 KB)
eth2 Link encap:Ethernet HWaddr 00:15:5d:22:62:02
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:442 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:61641 (61.6 KB) TX bytes:1332 (1.3 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:137209 errors:0 dropped:0 overruns:0 frame:0
TX packets:137209 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17189465 (17.1 MB) TX bytes:17189465 (17.1 MB)
=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 97G 4.5G 88G 5% /
udev 987M 4.0K 987M 1% /dev
tmpfs 400M 784K 399M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 999M 220K 999M 1% /run/shm
=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 724 avahi 12u IPv4 8158 0t0 UDP *:5353
avahi-dae 724 avahi 13u IPv6 8159 0t0 UDP *:5353
avahi-dae 724 avahi 14u IPv4 8160 0t0 UDP *:36006
avahi-dae 724 avahi 15u IPv6 8161 0t0 UDP *:41179
cupsd 741 root 8u IPv6 39614 0t0 TCP [::1]:631 (LISTEN)
cupsd 741 root 9u IPv4 39615 0t0 TCP 127.0.0.1:631 (LISTEN)
dhclient3 1419 root 6u IPv4 9661 0t0 UDP *:68
sshd 1551 root 3u IPv4 10032 0t0 TCP *:22 (LISTEN)
sshd 1551 root 4u IPv6 10034 0t0 TCP *:22 (LISTEN)
mysqld 1817 mysql 10u IPv4 13055 0t0 TCP 127.0.0.1:3306 (LISTEN)
mysqld 1817 mysql 33u IPv4 45839 0t0 TCP 127.0.0.1:3306->127.0.0.1:52589 (ESTABLISHED)
ntop 1913 ntop 1u IPv4 12212 0t0 TCP *:3000 (LISTEN)
/usr/sbin 2554 root 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 2554 root 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2554 root 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 2554 root 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
ntpd 3420 ntp 16u IPv4 17843 0t0 UDP *:123
ntpd 3420 ntp 17u IPv6 17844 0t0 UDP *:123
ntpd 3420 ntp 18u IPv4 17850 0t0 UDP 127.0.0.1:123
ntpd 3420 ntp 19u IPv4 17851 0t0 UDP 10.0.34.158:123
ntpd 3420 ntp 20u IPv6 17852 0t0 UDP [fe80::215:5dff:fe22:6201]:123
ntpd 3420 ntp 21u IPv6 17853 0t0 UDP [fe80::215:5dff:fe22:6200]:123
ntpd 3420 ntp 22u IPv6 17854 0t0 UDP [::1]:123
ossec-csy 8434 ossecm 5u IPv4 40391 0t0 UDP 127.0.0.1:41184->127.0.0.1:514
tclsh 11689 root 13u IPv4 44512 0t0 TCP *:7734 (LISTEN)
tclsh 11689 root 14u IPv4 44513 0t0 TCP *:7736 (LISTEN)
tclsh 11689 root 15u IPv4 44517 0t0 TCP 127.0.0.1:7736->127.0.0.1:56899 (ESTABLISHED)
tclsh 11689 root 16u IPv4 45289 0t0 TCP 127.0.0.1:7736->127.0.0.1:56905 (ESTABLISHED)
tclsh 11689 root 17u IPv4 45406 0t0 TCP 127.0.0.1:7736->127.0.0.1:56906 (ESTABLISHED)
tclsh 11689 root 18u IPv4 45742 0t0 TCP 127.0.0.1:7736->127.0.0.1:56907 (ESTABLISHED)
tclsh 11689 root 19u IPv4 45833 0t0 TCP 127.0.0.1:7736->127.0.0.1:56908 (ESTABLISHED)
tclsh 11689 root 20u IPv4 46005 0t0 TCP 127.0.0.1:7736->127.0.0.1:56911 (ESTABLISHED)
tclsh 11735 root 3u IPv4 44516 0t0 TCP 127.0.0.1:56899->127.0.0.1:7736 (ESTABLISHED)
bro 11796 root 4u IPv4 44695 0t0 UDP 10.0.34.158:33762->10.2.136.124:53
bro 11802 root 0u IPv4 44702 0t0 TCP *:47761 (LISTEN)
bro 11802 root 1u IPv6 44703 0t0 TCP *:47761 (LISTEN)
bro 11802 root 2u IPv4 44875 0t0 TCP 10.0.34.158:47761->10.0.34.158:45120 (ESTABLISHED)
bro 11802 root 4u IPv4 44695 0t0 UDP 10.0.34.158:33762->10.2.136.124:53
bro 11802 root 7u IPv4 45004 0t0 TCP 10.0.34.158:47761->10.0.34.158:45124 (ESTABLISHED)
bro 11847 root 4u IPv4 44839 0t0 UDP 10.0.34.158:56840->10.2.136.124:53
bro 11851 root 0u IPv4 44874 0t0 TCP 10.0.34.158:45120->10.0.34.158:47761 (ESTABLISHED)
bro 11851 root 1u IPv4 44879 0t0 TCP *:47762 (LISTEN)
bro 11851 root 2u IPv6 44880 0t0 TCP *:47762 (LISTEN)
bro 11851 root 4u IPv4 44839 0t0 UDP 10.0.34.158:56840->10.2.136.124:53
bro 11851 root 7u IPv4 45002 0t0 TCP 10.0.34.158:47762->10.0.34.158:41830 (ESTABLISHED)
bro 11891 root 4u IPv4 44991 0t0 UDP 10.0.34.158:55939->10.2.136.124:53
bro 11893 root 0u IPv4 45001 0t0 TCP 10.0.34.158:41830->10.0.34.158:47762 (ESTABLISHED)
bro 11893 root 1u IPv4 45003 0t0 TCP 10.0.34.158:45124->10.0.34.158:47761 (ESTABLISHED)
bro 11893 root 2u IPv4 45007 0t0 TCP *:47763 (LISTEN)
bro 11893 root 4u IPv4 44991 0t0 UDP 10.0.34.158:55939->10.2.136.124:53
bro 11893 root 9u IPv6 45008 0t0 TCP *:47763 (LISTEN)
tclsh 12009 root 3u IPv4 45288 0t0 TCP 127.0.0.1:56905->127.0.0.1:7736 (ESTABLISHED)
tclsh 12042 root 3u IPv4 45405 0t0 TCP 127.0.0.1:56906->127.0.0.1:7736 (ESTABLISHED)
tclsh 12042 root 4u IPv4 45407 0t0 TCP 127.0.0.1:8001 (LISTEN)
tclsh 12042 root 5u IPv4 45835 0t0 TCP 127.0.0.1:8001->127.0.0.1:34297 (ESTABLISHED)
barnyard2 12105 root 3u IPv4 45834 0t0 TCP 127.0.0.1:34297->127.0.0.1:8001 (ESTABLISHED)
barnyard2 12105 root 4u IPv4 45838 0t0 TCP 127.0.0.1:52589->127.0.0.1:3306 (ESTABLISHED)
tclsh 12137 root 3u IPv4 45741 0t0 TCP 127.0.0.1:56907->127.0.0.1:7736 (ESTABLISHED)
tclsh 12155 root 3u IPv4 45832 0t0 TCP 127.0.0.1:56908->127.0.0.1:7736 (ESTABLISHED)
tclsh 12194 root 3u IPv4 46004 0t0 TCP 127.0.0.1:56911->127.0.0.1:7736 (ESTABLISHED)
searchd 12297 sphinxsearch 7u IPv4 48201 0t0 TCP *:9306 (LISTEN)
searchd 12297 sphinxsearch 8u IPv4 48202 0t0 TCP *:3307 (LISTEN)
syslog-ng 12321 root 9u IPv4 49219 0t0 TCP *:514 (LISTEN)
syslog-ng 12321 root 10u IPv4 49220 0t0 UDP *:514
/usr/sbin 12684 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 12684 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12684 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12684 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 12685 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 12685 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12685 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12685 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 12686 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 12686 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12686 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12686 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 12687 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 12687 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12687 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12687 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 12688 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 12688 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 12688 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 12688 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 13624 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 13624 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 13624 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 13624 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 14247 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 14247 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 14247 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 14247 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
ruby1.9.1 14281 www-data 12u IPv4 57012 0t0 TCP 127.0.0.1:35683 (LISTEN)
/usr/sbin 14319 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 14319 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 14319 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 14319 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 14325 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 14325 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 14325 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 14325 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
/usr/sbin 14326 www-data 4u IPv4 14338 0t0 TCP *:443 (LISTEN)
/usr/sbin 14326 www-data 5u IPv4 14341 0t0 TCP *:9876 (LISTEN)
/usr/sbin 14326 www-data 6u IPv4 14343 0t0 TCP *:3154 (LISTEN)
/usr/sbin 14326 www-data 7u IPv4 14347 0t0 TCP *:444 (LISTEN)
=========================================================================
IDS Rules Update
=========================================================================
=========================================================================
CPU Usage
=========================================================================
top - 19:34:02 up 54 min, 1 user, load average: 6.19, 6.15, 6.13
Tasks: 214 total, 2 running, 206 sleeping, 0 stopped, 6 zombie
Cpu(s): 13.4%us, 2.1%sy, 0.5%ni, 75.0%id, 8.7%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 2044596k total, 1884984k used, 159612k free, 28352k buffers
Swap: 3117396k total, 137288k used, 2980108k free, 545748k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19431 root 20 0 253m 68m 3852 R 96.2 3.5 0:00.71 perl
11891 root 20 0 274m 92m 68m S 2.0 4.6 0:09.98 bro
14050 administ 20 0 898m 56m 20m S 2.0 2.8 0:10.86 chromium-browse
1 root 20 0 24592 2328 1292 S 0.0 0.1 0:00.79 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.35 ksoftirqd/0
6 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/0
8 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 cpuset
9 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
11 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 sync_supers
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
14 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
15 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff
17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u:1
22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
23 root 20 0 0 0 0 S 0.0 0.0 0:01.19 kswapd0
24 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
25 root 39 19 0 0 0 S 0.0 0.0 0:00.00 khugepaged
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 fsnotify_mark
27 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ecryptfs-kthrea
28 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 crypto
36 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kthrotld
37 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
38 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1
39 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kworker/u:2
59 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 devfreq_wq
251 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_con
253 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
255 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
256 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
257 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
259 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
260 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
263 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
264 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
265 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
266 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
267 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
268 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
269 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
270 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 hv_vmbus_ctl
286 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2
287 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_3
367 root 20 0 0 0 0 S 0.0 0.0 0:00.46 jbd2/sda1-8
368 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
470 root 20 0 17232 648 524 S 0.0 0.0 0:00.04 upstart-udev-br
475 root 20 0 21828 936 804 S 0.0 0.0 0:00.04 udevd
645 messageb 20 0 24720 1388 812 S 0.0 0.1 0:00.12 dbus-daemon
673 root 20 0 21320 1228 1168 S 0.0 0.1 0:00.00 bluetoothd
679 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kmpathd
704 root 20 0 21824 692 428 S 0.0 0.0 0:00.02 udevd
705 root 20 0 21824 572 364 S 0.0 0.0 0:00.00 udevd
715 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kmpath_handlerd
724 avahi 20 0 32308 1336 1088 S 0.0 0.1 0:00.06 avahi-daemon
725 avahi 20 0 32180 144 128 S 0.0 0.0 0:00.00 avahi-daemon
741 root 20 0 101m 2196 1720 S 0.0 0.1 0:00.01 cupsd
750 root 10 -10 0 0 0 S 0.0 0.0 0:00.00 krfcommd
787 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
1083 root 20 0 15188 404 332 S 0.0 0.0 0:00.00 upstart-socket-
1419 root 20 0 7264 204 160 S 0.0 0.0 0:00.00 dhclient3
1551 root 20 0 50032 1920 1728 S 0.0 0.1 0:00.00 sshd
1669 root 20 0 20024 732 728 S 0.0 0.0 0:00.00 getty
1675 root 20 0 20024 732 728 S 0.0 0.0 0:00.00 getty
1688 root 20 0 20024 732 728 S 0.0 0.0 0:00.00 getty
1690 root 20 0 20024 732 728 S 0.0 0.0 0:00.00 getty
1695 root 20 0 20024 732 728 S 0.0 0.0 0:00.00 getty
1726 root 20 0 4460 532 528 S 0.0 0.0 0:00.00 acpid
1729 root 20 0 570m 2896 2588 S 0.0 0.1 0:00.06 console-kit-dae
1731 daemon 20 0 16908 200 200 S 0.0 0.0 0:00.00 atd
1733 root 20 0 264m 2456 2456 S 0.0 0.1 0:00.00 lightdm
1817 mysql 20 0 867m 39m 5428 S 0.0 2.0 1:04.37 mysqld
1826 root 20 0 190m 3496 2632 S 0.0 0.2 0:00.14 polkitd
1839 root 20 0 186m 41m 6276 S 0.0 2.1 0:15.93 Xorg
1865 root 20 0 168m 2416 2416 S 0.0 0.1 0:00.00 lightdm
1868 root 20 0 118m 2864 2692 S 0.0 0.1 0:00.05 accounts-daemon
1913 ntop 20 0 583m 7264 5444 S 0.0 0.4 0:01.77 ntop
1984 administ 20 0 4400 588 584 S 0.0 0.0 0:00.00 sh
2018 administ 20 0 12568 32 0 S 0.0 0.0 0:00.00 ssh-agent
2021 administ 20 0 26560 460 456 S 0.0 0.0 0:00.00 dbus-launch
2022 administ 20 0 25732 1644 616 S 0.0 0.1 0:00.33 dbus-daemon
2030 administ 20 0 47604 2460 2144 S 0.0 0.1 0:00.02 xfconfd
2043 administ 20 0 63860 1920 1624 S 0.0 0.1 0:00.15 xscreensaver
2045 administ 20 0 158m 4832 4556 S 0.0 0.2 0:00.01 xfce4-session
2051 administ 20 0 155m 9720 6980 S 0.0 0.5 0:01.40 xfwm4
2053 administ 20 0 287m 12m 8464 S 0.0 0.6 0:00.72 xfce4-panel
2054 administ 20 0 128m 2900 2588 S 0.0 0.1 0:00.00 xfsettingsd
2056 administ 20 0 224m 5724 5092 S 0.0 0.3 0:00.05 Thunar
2058 administ 20 0 304m 10m 8956 S 0.0 0.5 0:00.74 xfdesktop
2062 administ 20 0 185m 3512 3188 S 0.0 0.2 0:00.02 polkit-gnome-au
2064 administ 20 0 407m 3820 3768 S 0.0 0.2 0:00.05 zeitgeist-datah
2066 administ 20 0 570m 8908 8256 S 0.0 0.4 0:00.13 blueman-applet
2082 administ 20 0 267m 2444 2048 S 0.0 0.1 0:00.08 zeitgeist-daemo
2084 administ 20 0 405m 12m 9068 S 0.0 0.6 0:00.26 update-notifier
2091 administ 20 0 230m 2716 2508 S 0.0 0.1 0:00.06 zeitgeist-fts
2094 administ 20 0 52420 2140 2004 S 0.0 0.1 0:00.02 gvfsd
2095 administ 20 0 257m 6988 6168 S 0.0 0.3 0:00.12 applet.py
2096 administ 20 0 529m 4560 3892 S 0.0 0.2 0:00.07 xfce4-volumed
2103 administ 20 0 203m 2152 2152 S 0.0 0.1 0:00.00 gvfs-fuse-daemo
2104 administ 20 0 442m 6976 6060 S 0.0 0.3 0:00.05 nm-applet
2107 administ 20 0 11420 252 252 S 0.0 0.0 0:00.00 cat
2116 administ 9 -11 270m 1852 1508 S 0.0 0.1 0:00.00 pulseaudio
2118 rtkit 21 1 164m 1064 1056 S 0.0 0.1 0:00.02 rtkit-daemon
2124 administ 20 0 150m 2772 2264 S 0.0 0.1 0:00.22 xfce4-settings-
2136 administ 20 0 212m 3424 2856 S 0.0 0.2 0:00.05 xfce4-power-man
2146 root 20 0 214m 3016 2712 S 0.0 0.1 0:00.02 upowerd
2157 root 20 0 116m 2556 2364 S 0.0 0.1 0:00.01 udisks-daemon
2158 root 20 0 45516 424 396 S 0.0 0.0 0:00.00 udisks-daemon
2164 administ 20 0 70336 2908 2604 S 0.0 0.1 0:00.02 gvfs-gdu-volume
2165 administ 20 0 149m 6016 5228 S 0.0 0.3 0:00.02 panel-4-systray
2167 administ 20 0 474m 10m 8500 S 0.0 0.5 0:00.14 xfce4-indicator
2168 administ 20 0 148m 7292 6188 S 0.0 0.4 0:00.05 panel-7-datetim
2183 administ 20 0 60344 1880 1732 S 0.0 0.1 0:00.00 gvfs-gphoto2-vo
2192 administ 20 0 138m 1896 1800 S 0.0 0.1 0:00.00 gvfs-afc-volume
2194 administ 20 0 169m 7172 6136 S 0.0 0.4 0:00.02 panel-9-xfsm-lo
2206 administ 20 0 57072 2788 2504 S 0.0 0.1 0:00.00 gvfsd-trash
2251 administ 20 0 57120 1952 1672 S 0.0 0.1 0:00.00 gconfd-2
2262 administ 20 0 181m 7484 6656 S 0.0 0.4 0:00.01 panel-24-thunar
2297 administ 20 0 525m 4136 3816 S 0.0 0.2 0:00.08 indicator-sound
2303 administ 20 0 633m 3708 3556 S 0.0 0.2 0:00.04 indicator-messa
2304 administ 20 0 411m 3620 3248 S 0.0 0.2 0:00.02 indicator-appli
2318 root 20 0 0 0 0 S 0.0 0.0 0:00.17 flush-8:0
2334 administ 20 0 57820 2152 1992 S 0.0 0.1 0:00.02 obex-data-serve
2554 root 20 0 176m 14m 8772 S 0.0 0.7 0:00.17 /usr/sbin/apach
2652 root 20 0 20024 732 728 S 0.0 0.0 0:00.00 getty
3420 ntp 20 0 37772 1364 1248 S 0.0 0.1 0:00.13 ntpd
3822 administ 20 0 367m 11m 2772 S 0.0 0.6 0:00.28 gnome-keyring-d
4406 root 20 0 4340 564 464 S 0.0 0.0 0:00.00 tail
4447 root 19 -1 14888 1928 300 S 0.0 0.1 0:00.19 dema
8434 ossecm 20 0 12916 604 420 S 0.0 0.0 0:00.01 ossec-csyslogd
8440 root 20 0 12804 532 348 S 0.0 0.0 0:00.00 ossec-execd
8444 ossec 20 0 14504 2376 800 S 0.0 0.1 0:04.79 ossec-analysisd
8448 root 20 0 4528 532 404 S 0.0 0.0 0:00.00 ossec-logcollec
8459 root 20 0 5760 2124 640 S 0.0 0.1 0:15.26 ossec-syscheckd
8462 ossec 20 0 13060 512 324 S 0.0 0.0 0:00.00 ossec-monitord
11689 root 20 0 119m 7640 3740 S 0.0 0.4 0:00.27 tclsh
11732 root 20 0 118m 3568 924 S 0.0 0.2 0:00.07 tclsh
11733 root 20 0 118m 3212 568 S 0.0 0.2 0:00.00 tclsh
11735 root 20 0 38436 5740 2716 S 0.0 0.3 0:00.08 tclsh
11736 root 20 0 4344 360 280 S 0.0 0.0 0:00.00 tail
11787 root 20 0 17884 1584 1304 S 0.0 0.1 0:00.00 bash
11796 root 20 0 667m 21m 3968 S 0.0 1.1 0:08.62 bro
11802 root 25 5 89580 18m 936 S 0.0 0.9 0:07.56 bro
11804 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct>
11805 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct>
11834 root 20 0 17884 1584 1304 S 0.0 0.1 0:00.00 bash
11847 root 20 0 275m 21m 3964 S 0.0 1.1 0:08.26 bro
11851 root 25 5 81340 18m 956 S 0.0 0.9 0:07.85 bro
11852 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct>
11853 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct>
11882 root 20 0 17884 1584 1304 S 0.0 0.1 0:00.00 bash
11893 root 25 5 135m 82m 64m S 0.0 4.1 0:07.19 bro
11894 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 sh <defunct>
11936 sguil 20 0 105m 79m 64m S 0.0 4.0 0:00.05 netsniff-ng
12009 root 20 0 32916 4608 2940 S 0.0 0.2 0:00.05 tclsh
12042 root 20 0 32500 4280 2936 S 0.0 0.2 0:00.01 tclsh
12073 sguil 20 0 538m 217m 10m S 0.0 10.9 0:07.81 snort
12105 root 20 0 160m 55m 1808 S 0.0 2.8 0:14.24 barnyard2
12121 sguil 20 0 25728 6872 3668 S 0.0 0.3 0:00.10 prads
12137 root 20 0 32396 4216 2924 S 0.0 0.2 0:00.01 tclsh
12139 root 20 0 4328 360 280 S 0.0 0.0 0:00.00 cat
12155 root 20 0 33500 5332 2972 S 0.0 0.3 0:00.12 tclsh
12175 sguil 20 0 111m 6632 1128 S 0.0 0.3 0:02.02 argus
12194 root 20 0 32532 4252 2920 S 0.0 0.2 0:00.00 tclsh
12196 root 20 0 4340 608 512 S 0.0 0.0 0:00.00 tail
12284 sphinxse 20 0 72916 2048 1476 S 0.0 0.1 0:00.00 su
12297 sphinxse 20 0 309m 26m 8108 S 0.0 1.3 0:03.14 searchd
12320 root 20 0 26780 436 196 S 0.0 0.0 0:00.00 syslog-ng
12321 root 20 0 70592 4244 2872 S 0.0 0.2 0:00.29 syslog-ng
12322 root 20 0 4400 612 508 S 0.0 0.0 0:00.00 sh
12325 root 20 0 212m 37m 3852 S 0.0 1.9 0:01.40 perl
12584 root 20 0 19112 1020 780 S 0.0 0.0 0:00.00 cron
12651 root 20 0 215m 2048 1772 S 0.0 0.1 0:00.00 PassengerWatchd
12655 root 20 0 544m 2376 2004 S 0.0 0.1 0:02.37 PassengerHelper
12660 root 20 0 108m 9380 2236 S 0.0 0.5 0:00.04 ruby1.9.1
12663 nobody 20 0 165m 4668 3636 S 0.0 0.2 0:00.00 PassengerLoggin
12684 www-data 20 0 177m 9128 2496 S 0.0 0.4 0:00.00 /usr/sbin/apach
12685 www-data 20 0 177m 9188 2492 S 0.0 0.4 0:00.01 /usr/sbin/apach
12686 www-data 20 0 177m 9216 2496 S 0.0 0.5 0:00.01 /usr/sbin/apach
12687 www-data 20 0 176m 8672 2224 S 0.0 0.4 0:00.02 /usr/sbin/apach
12688 www-data 20 0 177m 9360 2500 S 0.0 0.5 0:00.00 /usr/sbin/apach
12766 root 20 0 4344 608 504 S 0.0 0.0 0:00.00 tail
13624 www-data 20 0 177m 9364 2476 S 0.0 0.5 0:00.03 /usr/sbin/apach
14014 administ 20 0 628m 57m 36m S 0.0 2.9 0:02.04 chromium-browse
14018 administ 20 0 264m 7648 2108 S 0.0 0.4 0:00.03 chromium-browse
14019 administ 20 0 6464 408 320 S 0.0 0.0 0:00.00 chromium-browse
14020 administ 20 0 283m 18m 12m S 0.0 0.9 0:00.00 chromium-browse
14024 administ 20 0 283m 5616 204 S 0.0 0.3 0:00.00 chromium-browse
14247 www-data 20 0 177m 8684 2016 S 0.0 0.4 0:00.00 /usr/sbin/apach
14256 www-data 20 0 417m 85m 3824 S 0.0 4.3 0:02.74 ruby
14281 www-data 20 0 287m 87m 3560 S 0.0 4.4 0:01.02 ruby1.9.1
14319 www-data 20 0 176m 8424 1992 S 0.0 0.4 0:00.00 /usr/sbin/apach
14325 www-data 20 0 177m 8976 2280 S 0.0 0.4 0:00.00 /usr/sbin/apach
14326 www-data 20 0 177m 8936 2276 S 0.0 0.4 0:00.00 /usr/sbin/apach
17496 root 20 0 0 0 0 S 0.0 0.0 0:00.20 kworker/0:2
18489 root 20 0 0 0 0 S 0.0 0.0 0:00.14 kworker/0:1
18508 root 20 0 4400 616 512 S 0.0 0.0 0:00.00 sh
18511 root 20 0 4400 324 220 S 0.0 0.0 0:00.00 sh
18516 root 20 0 11400 352 276 S 0.0 0.0 0:00.00 sleep
19077 root 20 0 0 0 0 S 0.0 0.0 0:00.04 kworker/0:0
19101 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kworker/0:3
19191 administ 20 0 249m 13m 10m S 0.0 0.7 0:00.11 xfce4-terminal
19192 administ 20 0 0 0 0 Z 0.0 0.0 0:00.00 xfce4-ter <defunct>
19193 administ 20 0 27448 4444 1692 S 0.0 0.2 0:00.12 bash
19250 root 20 0 78392 2532 1812 S 0.0 0.1 0:00.01 sudo
19251 root 20 0 16568 1484 1248 S 0.0 0.1 0:00.00 sostat
19429 root 20 0 68912 1908 1320 S 0.0 0.1 0:00.00 cron
19430 root 20 0 4400 612 512 S 0.0 0.0 0:00.00 sh
19502 root 20 0 17476 1332 916 R 0.0 0.1 0:00.00 top
=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/MIS-406250SecOnion-br0/dailylogs/
12K .
8.0K ./2013-10-10
/nsm/bro/logs/
5.3M .
956K ./2013-10-04
1.3M ./2013-10-07
1.1M ./2013-10-08
120K ./2013-10-09
124K ./2013-10-10
1.9M ./stats
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
ERROR: No stats found in /nsm/sensor_data/MIS-406250SecOnion-br0/snort-1.stats
=========================================================================
pf_ring stats
=========================================================================
Appl. Name : <unknown>
Tot Packets : 716
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 714
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
=========================================================================
Netsniff-NG - Reported Packet Loss (per interval)
=========================================================================
0 Loss
=========================================================================
Sguil Uncategorized Events
=========================================================================
+----------+
| COUNT(*) |
+----------+
| 18 |
+----------+
=========================================================================
Sguil events summary for yesterday
=========================================================================
+-------+
| Total |
+-------+
| 0 |
+-------+
=========================================================================
Top 50 All time Sguil Events
=========================================================================
+-------+
| Total |
+-------+
| 0 |
+-------+
=========================================================================
Top 50 URLs for yesterday
=========================================================================
+-------+
| Total |
+-------+
| 0 |
+-------+
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
+-------+
| Total |
+-------+
| 0 |
+-------+
=========================================================================
Top 50 All Time Snorby Events
=========================================================================
+-------+
| Total |
+-------+
| 0 |
+-------+
Doug Burks
eth1 Link encap:Ethernet HWaddr 00:15:5d:22:62:01
inet6 addr: fe80::215:5dff:fe22:6201/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:542 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:70129 (70.1 KB) TX bytes:5362 (5.3 KB)
eth2 Link encap:Ethernet HWaddr 00:15:5d:22:62:02
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:442 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:61641 (61.6 KB) TX bytes:1332 (1.3 KB)
Please run "sudo tcpdump -nnvvAi br0" and then run "curl
testmyids.com" and include your tcpdump output in your reply.
Victor Leon
[sudo] password for administrator:
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:56:51.707922 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=4aafb3 (elapsed-time 703) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{.J.J................._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
19:56:51.707928 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=9e9a32 (elapsed-time 703) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{.....2..............._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
19:56:59.713030 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=4aafb3 (elapsed-time 1503) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{.*.J................._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
19:56:59.713037 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=9e9a32 (elapsed-time 1503) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{.....2..............._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
19:57:15.721427 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=4aafb3 (elapsed-time 3104) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{...J....... ........._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
19:57:15.721431 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=9e9a32 (elapsed-time 3104) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{.G...2..... ........._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
19:57:31.949622 IP (tos 0x0, ttl 128, id 13725, offset 0, flags [none], proto UDP (17), length 78)
169.254.207.138.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA52E
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WPAD NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
E..N5......z.............:.C............ FHFAEBEECACACACACACACACACACACAAA.. ..
19:57:31.949831 IP (tos 0x0, ttl 128, id 19866, offset 0, flags [none], proto UDP (17), length 78)
169.254.0.211.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA52F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WPAD NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
E..NM......5.............:.../.......... FHFAEBEECACACACACACACACACACACAAA.. ..
19:57:31.950213 IP6 (hlim 1, next-header UDP (17) payload length: 30) fe80::b8a5:15a3:20b3:cf8a.53100 > ff02::1:3.5355: [udp sum ok] UDP, length 22
`................... ....................l.....&lJ...........wpad.....
19:57:31.950346 IP (tos 0x0, ttl 1, id 10707, offset 0, flags [none], proto UDP (17), length 50)
169.254.207.138.53100 > 224.0.0.252.5355: [udp sum ok] UDP, length 22
E..2).....5c.........l....{.lJ...........wpad.....
19:57:31.950442 IP6 (hlim 1, next-header UDP (17) payload length: 30) fe80::c590:4744:a90f:d3.53100 > ff02::1:3.5355: [udp sum ok] UDP, length 22
`.................GD.....................l....!.lJ...........wpad.....
19:57:31.950554 IP (tos 0x0, ttl 1, id 8948, offset 0, flags [none], proto UDP (17), length 50)
169.254.0.211.53100 > 224.0.0.252.5355: [udp sum ok] UDP, length 22
E..2".....
..........l....JflJ...........wpad.....
19:57:32.698940 IP (tos 0x0, ttl 128, id 19867, offset 0, flags [none], proto UDP (17), length 78)
169.254.0.211.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA52F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WPAD NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
E..NM......4.............:.../.......... FHFAEBEECACACACACACACACACACACAAA.. ..
19:57:32.698948 IP (tos 0x0, ttl 128, id 13726, offset 0, flags [none], proto UDP (17), length 78)
169.254.207.138.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA52E
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WPAD NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
E..N5......y.............:.C............ FHFAEBEECACACACACACACACACACACAAA.. ..
19:57:33.463336 IP (tos 0x0, ttl 128, id 13727, offset 0, flags [none], proto UDP (17), length 78)
169.254.207.138.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA52E
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WPAD NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
E..N5......x.............:.C............ FHFAEBEECACACACACACACACACACACAAA.. ..
19:57:33.463424 IP (tos 0x0, ttl 128, id 19868, offset 0, flags [none], proto UDP (17), length 78)
169.254.0.211.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA52F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WPAD NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
E..NM......3.............:.../.......... FHFAEBEECACACACACACACACACACACAAA.. ..
19:57:41.181042 IP (tos 0x0, ttl 128, id 19869, offset 0, flags [none], proto UDP (17), length 78)
169.254.0.211.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA531
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=CMS-STUSVR NameType=0x20 (Server)
QuestionType=0x20
QuestionClass=0x1
E..NM......2.............:...1.......... EDENFDCNFDFEFFFDFGFCCACACACACACA.. ..
19:57:41.181049 IP6 (hlim 1, next-header UDP (17) payload length: 36) fe80::c590:4744:a90f:d3.65286 > ff02::1:3.5355: [udp sum ok] UDP, length 28
`....$............GD.........................$.'L...........
cms-stusvr.....
19:57:41.181053 IP (tos 0x0, ttl 1, id 8949, offset 0, flags [none], proto UDP (17), length 56)
169.254.0.211.65286 > 224.0.0.252.5355: [udp sum ok] UDP, length 28
E..8".....
..............$..L...........
cms-stusvr.....
19:57:41.181060 IP (tos 0x0, ttl 128, id 13728, offset 0, flags [none], proto UDP (17), length 78)
169.254.207.138.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA530
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=CMS-STUSVR NameType=0x20 (Server)
QuestionType=0x20
QuestionClass=0x1
E..N5......w.............:.0.0.......... EDENFDCNFDFEFFFDFGFCCACACACACACA.. ..
19:57:41.181064 IP6 (hlim 1, next-header UDP (17) payload length: 36) fe80::b8a5:15a3:20b3:cf8a.65286 > ff02::1:3.5355: [udp sum ok] UDP, length 28
`....$.............. ........................$.XL...........
cms-stusvr.....
19:57:41.181067 IP (tos 0x0, ttl 1, id 10708, offset 0, flags [none], proto UDP (17), length 56)
169.254.207.138.65286 > 224.0.0.252.5355: [udp sum ok] UDP, length 28
E..8).....5\.............$E.L...........
cms-stusvr.....
19:57:41.924046 IP (tos 0x0, ttl 128, id 19870, offset 0, flags [none], proto UDP (17), length 78)
169.254.0.211.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA531
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=CMS-STUSVR NameType=0x20 (Server)
QuestionType=0x20
QuestionClass=0x1
E..NM......1.............:...1.......... EDENFDCNFDFEFFFDFGFCCACACACACACA.. ..
19:57:41.924059 IP (tos 0x0, ttl 128, id 13729, offset 0, flags [none], proto UDP (17), length 78)
169.254.207.138.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA530
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=CMS-STUSVR NameType=0x20 (Server)
QuestionType=0x20
QuestionClass=0x1
E..N5......v.............:.0.0.......... EDENFDCNFDFEFFFDFGFCCACACACACACA.. ..
19:57:42.677829 IP (tos 0x0, ttl 128, id 19871, offset 0, flags [none], proto UDP (17), length 78)
169.254.0.211.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA531
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=CMS-STUSVR NameType=0x20 (Server)
QuestionType=0x20
QuestionClass=0x1
E..NM......0.............:...1.......... EDENFDCNFDFEFFFDFGFCCACACACACACA.. ..
19:57:42.677969 IP (tos 0x0, ttl 128, id 13730, offset 0, flags [none], proto UDP (17), length 78)
169.254.207.138.137 > 169.254.255.255.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xA530
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=CMS-STUSVR NameType=0x20 (Server)
QuestionType=0x20
QuestionClass=0x1
E..N5......u.............:.0.0.......... EDENFDCNFDFEFFFDFGFCCACACACACACA.. ..
19:57:47.733280 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=4aafb3 (elapsed-time 6305) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{.h.J................._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
19:57:47.733284 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=9e9a32 (elapsed-time 6305) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{.....2..............._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
^C
28 packets captured
28 packets received by filter
0 packets dropped by kernel
Doug Burks
looks like all the traffic is broadcast traffic. Are you sure your
tap is connected at a chokepoint in your network where it would see
the traffic going to/from testmyids.com?
Victor Leon
administrator@MIS-406250SecOnion:~$ sudo tcpdump -nnvvAi br0
[sudo] password for administrator:
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
169.254.0.211.138 > 169.254.255.255.138: [udp sum ok]
>>> NBT UDP PACKET(138) Res=0x110E ID=0xA5DC IP=169 (0xa9).254 (0xfe).0 (0x0).211 (0xd3) Port=138 (0x8a) Length=197 (0xc5) Res2=0x0
SourceName=MIS-406250 NameType=0x00 (Workstation)
DestName= __MSBROWSE__ NameType=0x01 (Unknown)
SMB PACKET: SMBtrans (REQUEST)
SMB Command = 0x25
Error class = 0x0
Error code = 0 (0x0)
Flags1 = 0x0
Flags2 = 0x0
Tree ID = 0 (0x0)
Proc ID = 0 (0x0)
UID = 0 (0x0)
MID = 0 (0x0)
Word Count = 17 (0x11)
TotParamCnt=0 (0x0)
TotDataCnt=43 (0x2b)
MaxParmCnt=0 (0x0)
MaxDataCnt=0 (0x0)
MaxSCnt=0 (0x0)
TransFlags=0x0
Res1=0x3E8
Res2=0x0
Res3=0x0
ParamCnt=0 (0x0)
ParamOff=0 (0x0)
DataCnt=43 (0x2b)
DataOff=86 (0x56)
SUCnt=3 (0x3)
Data: (6 bytes)
[000] 01 00 01 00 02 00 \0x01\0x00\0x01\0x00\0x02\0x00
smb_bcc=60
Name=\MAILSLOT\BROWSE
BROWSE PACKET
BROWSE PACKET:
Type=0xC (WorkgroupAnnouncement)
UpdateCount=0xA000
Res1=0xBB
AnnounceInterval=13 (0xd)
Name=STAFF NameType=0x00 (Workstation)
MajorVersion=0x3
MinorVersion=0xA
ServerType=0x80001000
CommentPointer=0x6F
ServerName=MIS-406250
E...N^.................................... ENEJFDCNDEDADGDCDFDACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%..............................+...............STAFF.......s0o...\MAILSLOT\BROWSE.....
....o...MIS-406250.
20:17:30.524764 IP (tos 0x0, ttl 128, id 13260, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:24:9b:07:c2:52, length 300, xid 0x4ca555b5, secs 7424, Flags [Broadcast] (0x8000)
Client-Ethernet-Address 00:24:9b:07:c2:52
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Client-ID Option 61, length 7: ether 00:24:9b:07:c2:52
Hostname Option 12, length 10: "mis-406250"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 13:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Option 252
Vendor-Option
E..H3................D.C.4.T....L.U......................$...R..........................................................................................................................................................................................................c.Sc5..=...$...R.
....,./.!y..+...........
20:17:41.653478 IP (tos 0x0, ttl 255, id 11701, offset 0, flags [none], proto UDP (17), length 280)
169.254.207.138.5353 > 224.0.0.251.5353: [udp sum ok] 0*- [0q] 4/0/3 138.207.254.169.in-addr.arpa. (Cache flush) PTR mis-406250.local., A.8.F.C.3.B.0.2.3.A.5.1.5.A.8.B.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) PTR mis-406250.local., mis-406250.local. (Cache flush) A 169.254.207.138, mis-406250.local. (Cache flush) AAAA fe80::b8a5:15a3:20b3:cf8a ar: 138.207.254.169.in-addr.arpa. (Cache flush) NSEC, A.8.F.C.3.B.0.2.3.A.5.1.5.A.8.B.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) NSEC, mis-406250.local. (Cache flush) NSEC (252)
E...-.....2..............................138.207.254.169.in-addr.arpa........x..
mis-406250.local..A.8.F.C.3.B.0.2.3.A.5.1.5.A.8.B.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.$.......x...4.4.......x.......4.......x.............. ....../.....x.........F./.....x...F.....4./.....x...4..@...
20:17:41.653904 IP (tos 0x0, ttl 255, id 8419, offset 0, flags [none], proto UDP (17), length 278)
169.254.0.211.5353 > 224.0.0.251.5353: [udp sum ok] 0*- [0q] 4/0/3 211.0.254.169.in-addr.arpa. (Cache flush) PTR mis-406250.local., 3.D.0.0.F.0.9.A.4.4.7.4.0.9.5.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) PTR mis-406250.local., mis-406250.local. (Cache flush) A 169.254.0.211, mis-406250.local. (Cache flush) AAAA fe80::c590:4744:a90f:d3 ar: 211.0.254.169.in-addr.arpa. (Cache flush) NSEC, 3.D.0.0.F.0.9.A.4.4.7.4.0.9.5.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) NSEC, mis-406250.local. (Cache flush) NSEC (250)
E... ......'..............Y..............211.0.254.169.in-addr.arpa........x..
mis-406250.local..3.D.0.0.F.0.9.A.4.4.7.4.0.9.5.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.".......x...2.2.......x.......2.......x............GD......./.....x.........D./.....x...D.....2./.....x...2..@...
20:17:41.831319 IP (tos 0x0, ttl 128, id 13911, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..N6W...................:.............. EMEIFDCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:41.831698 IP (tos 0x0, ttl 128, id 20063, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..NN_.....p.............:.:............ EMEIFDCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:41.832160 IP6 (hlim 1, next-header UDP (17) payload length: 36) fe80::b8a5:15a3:20b3:cf8a.55866 > ff02::1:3.5355: [udp sum ok] UDP, length 28
`....$.............. ....................:...$.6............
lhs-stusvr.....
20:17:41.832537 IP (tos 0x0, ttl 1, id 10815, offset 0, flags [none], proto UDP (17), length 56)
169.254.207.138.55866 > 224.0.0.252.5355: [udp sum ok] UDP, length 28
E..8*?....4..........:...$..............
lhs-stusvr.....
20:17:41.832815 IP6 (hlim 1, next-header UDP (17) payload length: 36) fe80::c590:4744:a90f:d3.55866 > ff02::1:3.5355: [udp sum ok] UDP, length 28
`....$............GD.....................:...$..............
lhs-stusvr.....
20:17:41.832948 IP (tos 0x0, ttl 1, id 9075, offset 0, flags [none], proto UDP (17), length 56)
169.254.0.211.55866 > 224.0.0.252.5355: [udp sum ok] UDP, length 28
E..8#s....
u.........:...$.v............
lhs-stusvr.....
20:17:41.837714 IP (tos 0x0, ttl 128, id 20064, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..NN`.....o.............:.8............ FFEFEMCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:41.837719 IP6 (hlim 1, next-header UDP (17) payload length: 36) fe80::c590:4744:a90f:d3.60230 > ff02::1:3.5355: [udp sum ok] UDP, length 28
`....$............GD.....................F...$*RI...........
UEL-Stusvr.....
20:17:41.837722 IP (tos 0x0, ttl 1, id 9076, offset 0, flags [none], proto UDP (17), length 56)
169.254.0.211.60230 > 224.0.0.252.5355: [udp sum ok] UDP, length 28
E..8#t....
t.........F...$R.I...........
UEL-Stusvr.....
20:17:41.837727 IP (tos 0x0, ttl 128, id 13912, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..N6X...................:.............. FFEFEMCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:41.837730 IP6 (hlim 1, next-header UDP (17) payload length: 36) fe80::b8a5:15a3:20b3:cf8a.60230 > ff02::1:3.5355: [udp sum ok] UDP, length 28
`....$.............. ....................F...$".I...........
UEL-Stusvr.....
20:17:41.837732 IP (tos 0x0, ttl 1, id 10816, offset 0, flags [none], proto UDP (17), length 56)
169.254.207.138.60230 > 224.0.0.252.5355: [udp sum ok] UDP, length 28
E..8*@....4..........F...$..I...........
UEL-Stusvr.....
20:17:42.589341 IP (tos 0x0, ttl 128, id 20065, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..NNa.....n.............:.8............ FFEFEMCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:42.589348 IP (tos 0x0, ttl 128, id 13913, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..N6Y...................:.............. FFEFEMCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:42.589474 IP (tos 0x0, ttl 128, id 20066, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..NNb.....m.............:.:............ EMEIFDCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:42.589535 IP (tos 0x0, ttl 128, id 13914, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..N6Z...................:.............. EMEIFDCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:43.353657 IP (tos 0x0, ttl 128, id 20067, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..NNc.....l.............:.8............ FFEFEMCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:43.353665 IP (tos 0x0, ttl 128, id 13915, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..N6[...................:.............. FFEFEMCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:43.353856 IP (tos 0x0, ttl 128, id 20068, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..NNd.....k.............:.:............ EMEIFDCNFDFEFFFDFGFCCACACACACACA.. ..
20:17:43.353960 IP (tos 0x0, ttl 128, id 13916, offset 0, flags [none], proto UDP (17), length 78)
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
QuestionType=0x20
QuestionClass=0x1
E..N6\...................:.............. EMEIFDCNFDFEFFFDFGFCCACACACACACA.. ..
20:18:07.968633 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=f1abf6 (elapsed-time 0) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{....................._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:07.968637 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=7e4358 (elapsed-time 0) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{)b.~CX..............._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:08.973746 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=f1abf6 (elapsed-time 101) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{...........e........._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:08.973750 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=7e4358 (elapsed-time 101) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{(..~CX.....e........._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:10.975799 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=f1abf6 (elapsed-time 301) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{...........-........._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:10.975804 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=7e4358 (elapsed-time 301) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{(5.~CX.....-........._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:14.985820 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=f1abf6 (elapsed-time 702) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{.a..................._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:14.985824 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=7e4358 (elapsed-time 702) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{&..~CX..............._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:22.989806 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=f1abf6 (elapsed-time 1502) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{.A..................._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:22.989811 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=7e4358 (elapsed-time 1502) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{#..~CX..............._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:38.788766 IP (tos 0x0, ttl 255, id 11704, offset 0, flags [none], proto UDP (17), length 129)
169.254.207.138.5353 > 224.0.0.251.5353: [udp sum ok] 0 [3q] PTR (QM)? _apple-mobdev._tcp.local. PTR (QM)? 46cd0544._sub._apple-mobdev2._tcp.local. PTR (QM)? _sleep-proxy._udp.local. (101)
_apple-mobdev._tcp.local......46cd0544._sub._apple-mobdev2......._sleep-proxy._udp......
20:18:38.789044 IP (tos 0x0, ttl 255, id 8422, offset 0, flags [none], proto UDP (17), length 129)
169.254.0.211.5353 > 224.0.0.251.5353: [udp sum ok] 0 [3q] PTR (QM)? _apple-mobdev._tcp.local. PTR (QM)? 46cd0544._sub._apple-mobdev2._tcp.local. PTR (QM)? _sleep-proxy._udp.local. (101)
_apple-mobdev._tcp.local......46cd0544._sub._apple-mobdev2......._sleep-proxy._udp......
20:18:38.991518 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::c590:4744:a90f:d3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=f1abf6 (elapsed-time 3102) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:654320795 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{............GD.....................".#.{....................._...Q.`.%....'.$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:38.991526 IP6 (hlim 1, next-header UDP (17) payload length: 123) fe80::b8a5:15a3:20b3:cf8a.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=7e4358 (elapsed-time 3102) (client-ID hwaddr/time type 1 time 425713152 8851fb60e025) (IA_NA IAID:687875227 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request DNS-search-list DNS-server vendor-specific-info Client-FQDN))
`....{.............. ....................".#.{.D.~CX..............._...Q.`.%....).$..........'.%.
mis-406250.staff.lakeschools.local........7..MSFT 5.0...........'
20:18:45.653166 IP (tos 0x0, ttl 255, id 11705, offset 0, flags [none], proto UDP (17), length 280)
169.254.207.138.5353 > 224.0.0.251.5353: [udp sum ok] 0*- [0q] 4/0/3 138.207.254.169.in-addr.arpa. (Cache flush) PTR mis-406250.local., A.8.F.C.3.B.0.2.3.A.5.1.5.A.8.B.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) PTR mis-406250.local., mis-406250.local. (Cache flush) A 169.254.207.138, mis-406250.local. (Cache flush) AAAA fe80::b8a5:15a3:20b3:cf8a ar: 138.207.254.169.in-addr.arpa. (Cache flush) NSEC, A.8.F.C.3.B.0.2.3.A.5.1.5.A.8.B.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) NSEC, mis-406250.local. (Cache flush) NSEC (252)
E...-.....2..............................138.207.254.169.in-addr.arpa........x..
mis-406250.local..A.8.F.C.3.B.0.2.3.A.5.1.5.A.8.B.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.$.......x...4.4.......x.......4.......x.............. ....../.....x.........F./.....x...F.....4./.....x...4..@...
20:18:45.653423 IP (tos 0x0, ttl 255, id 8423, offset 0, flags [none], proto UDP (17), length 278)
169.254.0.211.5353 > 224.0.0.251.5353: [udp sum ok] 0*- [0q] 4/0/3 211.0.254.169.in-addr.arpa. (Cache flush) PTR mis-406250.local., 3.D.0.0.F.0.9.A.4.4.7.4.0.9.5.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) PTR mis-406250.local., mis-406250.local. (Cache flush) A 169.254.0.211, mis-406250.local. (Cache flush) AAAA fe80::c590:4744:a90f:d3 ar: 211.0.254.169.in-addr.arpa. (Cache flush) NSEC, 3.D.0.0.F.0.9.A.4.4.7.4.0.9.5.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) NSEC, mis-406250.local. (Cache flush) NSEC (250)
E... ......#..............Y..............211.0.254.169.in-addr.arpa........x..
mis-406250.local..3.D.0.0.F.0.9.A.4.4.7.4.0.9.5.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.".......x...2.2.......x.......2.......x............GD......./.....x.........D./.....x...D.....2./.....x...2..@...
^C
40 packets captured
40 packets received by filter
Doug Burks
still looks like broadcast traffic. You'll need to make adjustments
until you see testmyids.com traffic in the tcpdump output.
Victor Leon
Doug Burks
- run "sudo sosetup" and choose to configure /etc/network/interfaces
- specify eth0 as your management interface
- specify eth1 as your monitoring interface
- reboot
- /etc/network/interfaces should now be configured as shown here:
https://code.google.com/p/security-onion/wiki/NetworkConfiguration
- re-run the tcpdump test on eth1
- since eth1 would only see one side of the TCP stream, you should
either see the HTTP GET request to testmyids.com *or* the HTTP 200
response from testmyids.com
If you don't see that traffic on eth1, then there's a problem with
your tap or where it's connected to the network.
I'll recommend again that you consider purchasing a $40 tap to save
time (and money, since time is money).
On Thu, Oct 10, 2013 at 4:37 PM, Victor Leon <victora...@gmail.com> wrote:
> it sounds like its an issue with how the interfaces are set up under the interfaces configuration. the bridge seems to be working somewhat, because I'm getting an output On br0. any suggestions on how to set up eth1 and eth2. this security onion setup tool deletes the configuration on Eth1 and Eth2 when I set Br0 as the sensor. So I had to manually add both eth1 and 2 with auto.
>