|
|
楼主 |
发表于 2006-5-27 18:39:37
|
显示全部楼层
不对不对,我弄错了!smb确实有发广播,但并不是问题的根源,别人的瑞星防火墙还是查到我有icmp的广播,信息为:
时间 动作 协议 地址
2006.5.27* 禁止 ICMP 192.168.3.31=>192.168.3.255
其中3.31是我,对方的是3.*(本段好几个人)
而且很有规律,每次攻击(瑞星认为是攻击,搞的同事对我挺有意见)的间隔都是1小时20分10秒,于是我在下一次攻击前后约1个小时内用ethereal再次抓包,将得到的信息粗略的分组:
"No.", "Time", "Source", "Destination", " rotocol", "Info"
1.................................
"3", "0.931852", "192.168.3.23", "Broadcast", "ARP", "Who has 192.168.3.31? Tell 192.168.3.23"
"4", "0.931878", "192.168.3.31", "192.168.3.23", "ARP", "192.168.3.31 is at 00:11:2f:3b:61:da"
"5", "0.931886", "192.168.3.32", "Broadcast", "ARP", "Who has 192.168.3.31? Tell 192.168.3.32"
"6", "0.931895", "192.168.3.31", "192.168.3.32", "ARP", "192.168.3.31 is at 00:11:2f:3b:61:da"
......还有很多,好像本段机器群起在找我
2.......................................
"42", "0.933127", "192.168.3.66", "192.168.3.31", "NBNS", "Name query response NB 192.168.3.66"
"43", "0.933157", "192.168.3.8", "192.168.3.31", "NBNS", "Name query response NB 192.168.3.8"
"44", "0.933184", "192.168.3.21", "192.168.3.31", "NBNS", "Name query response NB 192.168.3.21"
"45", "1.232920", "192.168.3.31", "192.168.3.255", "NBNS", "Name query NB *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>"
"46", "1.233063", "192.168.3.23", "192.168.3.31", "NBNS", "Name query response NB 192.168.3.23"
..........还有很多,这段不知道他们在搞我什么
3...................
"75", "1.784961", "192.168.3.31", "192.168.3.0", "ICMP", "Echo (ping) request "
"76", "1.785191", "192.168.3.31", "192.168.3.4", "ICMP", "Echo (ping) request "
"77", "1.785265", "192.168.3.31", "192.168.3.7", "ICMP", "Echo (ping) request "
"78", "1.785299", "192.168.3.31", "192.168.3.8", "ICMP", "Echo (ping) request "
"79", "1.785328", "192.168.3.4", "192.168.3.31", "ICMP", "Echo (ping) reply "
"80", "1.785359", "192.168.3.31", "192.168.3.9", "ICMP", "Echo (ping) request "
.............还有很多,好像我在发彪,但我保证抓包时什么都没干!
4..........................
"88", "1.785752", "192.168.3.31", "Broadcast", "ARP", "Who has 192.168.3.1? Tell 192.168.3.31"
"89", "1.785764", "192.168.3.31", "Broadcast", "ARP", "Who has 192.168.3.2? Tell 192.168.3.31"
"90", "1.785775", "192.168.3.31", "Broadcast", "ARP", "Who has 192.168.3.3? Tell 192.168.3.31"
"91", "1.785785", "192.168.3.31", "Broadcast", "ARP", "Who has 192.168.3.5? Tell 192.168.3.31"
"92", "1.785799", "192.168.3.31", "Broadcast", "ARP", "Who has 192.168.3.6? Tell 192.168.3.31"
"93", "1.785809", "192.168.3.31", "Broadcast", "ARP", "Who has 192.168.3.10? Tell 192.168.3.31"
"94", "1.785825", "192.168.3.31", "Broadcast", "ARP", "Who has 192.168.3.11? Tell 192.168.3.31"
.............还有很多,好像我在逐个反击,不过抓包以后马上arp -a,确实收获很多,但很快就没了
接下来还是反复的arp和icmp包,从0到254干个彻底,注意icmp包从0开始,arp包是1~254,正两遍
5......................还有一些包不知道有没有关系(2.5是DNS服务器)
"382", "2.183418", "192.168.3.31", "192.168.2.5", "DNS", "Standard query PTR 4.3.168.192.in-addr.arpa"
"383", "2.345096", "192.168.2.5", "192.168.3.31", "DNS", "Standard query response, No such name"
"384", "2.345404", "192.168.3.31", "192.168.2.5", "DNS", "Standard query PTR 7.3.168.192.in-addr.arpa"
"385", "2.517485", "192.168.2.5", "192.168.3.31", "DNS", "Standard query response, No such name"
"386", "2.517785", "192.168.3.31", "192.168.2.5", "DNS", "Standard query PTR 9.3.168.192.in-addr.arpa"
................还有一些,怎么没完没了反复交谈好几回呀?
最后抓到的是本网段所有活动主机对我的arp的回应,纷纷返回了mac
就是这些了,由于ethereal没有反应具体每个包的时刻(小时分秒),我也不知道是那个包触动了别人的瑞星防火墙。奇怪的是就算是我真的ping它,他那个瑞星都不报警,我看了一下,防火墙的级别都设为高,ip规则中也包括禁止ping入。
我又测试了一下天网,默认设置下,无法ping入,但没有每隔80分钟的那个问题。
好了,罗嗦半天,大家可不可以给小弟点指教? |
|
IP卡
狗仔卡
发表于 2006-5-10 16:20:26
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡