FW: [NTLUG:Discuss] snmptrap not appearing
jeremyb@univista.com
jeremyb at univista.com
Sun Sep 8 16:32:19 CDT 2002
-----Original Message-----
From: Jeremy Brooks
To: 'Chris Cox '
Sent: 9/8/02 4:31 PM
Subject: RE: [NTLUG:Discuss] snmptrap not appearing
thanks Chris,
yep, I know the router is set to send logs to the web server. I set
it a while ago
and just never setup the daemon to catch it. That's why I wasn't
concerned about
it.
What I really really want to know is why I can't see the snmptrap
conenctions on the web server...
wait, I just figured it out... ipchains is Denying the dgram thus it
never shows up as a registered connection.... DOH!
-----Original Message-----
From: Chris Cox
To: discuss at ntlug.org
Sent: 9/8/02 4:22 PM
Subject: Re: [NTLUG:Discuss] snmptrap not appearing
jeremyb at univista.com wrote:
>
> hey folks,
> I'm tinkering with ettercap and have been watching traffic between
my
> web server and
> the Linksys router I've got in front of this LAN. I'm seeing an
> snmp-trap datagram
> every couple of seconds originating from the router to the web
server.
> I'm not converned about why the router is doing this at the moment...
> what I'm curious about is why I can't see ANY trace of these
connections
> on the web server.
My LinkSys sends snmp traps to a desginated host for record keeping
of hits to the firewall. Go to Log on the LinkSys tab'd menu.
I run snmptrapd to capture the messages on the host I designated
on the Log setup.
> I've tried the following commands:
>
> netstat -an --inet
> netstat -an
> lsof | grep IPv4
> lsof | grep 162
> lsof | less
Not sure what you are looking for. You can snoop the traffic with
something like tcpdump.
>
> Here's a snip of what ettercap is showing me:
>
> 101) 192.168.1.1:2395 <--> 192.168.1.2:162 ? UDP ?
> snmptrap
I'm guessing that 192.168.1.2 is being setup as the
recipient of the access traps coming from the router.
>
> Here are corosponding entries in /var/log/messages:
>
> Sep 8 10:40:22 localhost kernel: Suspect short first fragment.
> Sep 8 10:40:22 localhost kernel: eth0 PROTO=1 192.168.1.1:0
> 192.168.1.2:0 L=20 S=0x00 I=0 F=0x0000 T=150 (#0)
>
> For every ettercap snmptrap entry there are two messages entries like
> those above.
> Is this really snmp-trap or just some junk that the router is coughing
> up because it's
> got issues? My next step is to bind port 162 using a little Perl
script
> and just see what's what. ...may do that just for kicks anyhow :)
>
I'd run snmptrapd and capture the results so you can see everyone
who is pounding on your router.... an interesting experience.
Maybe I'm just not understanding the issue.
Ettercap is a great way to arp spoof your local switch (allowing
you to sniff traffic on the switch)... for more fun you could
try arp spoofing AT&T's switch... but since many abused this
recently, don't expect to be an AT&T customer very long if
you do this. Still you can see what ports on the AT&T switch
are listening to your traffic... also an eye opening experience.
(as mentioned, probably not your neighbor, but AT&T doing this)
Have fun!
Chris
_______________________________________________
https://ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list