catch magic packet

Hello,

I probably have in my network a machine who is sending a magic packet
to power on a machine.
To stop this problem I turn off the WOL in this machine.
But I would like to know who is sending this "magic packet".

How can I find the magic packet sender ?

hi,

put an ethernet sniffer, and also try connecting all the machines to a
hub and watch the packet on siffer.

thanks,
http://geocities.com/sunil3112000

On Oct 17, 1:00 pm, IS <isimoes.no...@laposte.net> wrote:
> Hello,
>
> I probably have in my network a machine who is sending a magic packet
> to power on a machine.
> To stop this problem I turn off the WOL in this machine.
> But I would like to know who is sending this "magic packet".
>
> How can I find the magic packet sender ?

On Tue, 17 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>, IS wrote:

>How can I find the magic packet sender ?

A "Magic Packet" is any Ethernet packet that contains at least sixteen
repeats of the 'target' MAC address. If the Ethernet address of a target
computer is 01:02:03:04:05:06 (6 bytes), then the LAN controller of that
machine should be looking for the following sequence
FFFFFFFFFFFF01020304050601020304050601020304050601 0203040506
01020304050601020304050601020304050601020304050601 0203040506
01020304050601020304050601020304050601020304050601 0203040506
010203040506010203040506
inside the frame. Do you have 'ngrep' on your system?

[compton ~]$ whatis ngrep
ngrep (8) - network grep
[compton ~]$

If not, use any packet sniffer you have, and save the data to a file which
you can then 'grep' for the sequence of several repetitions of the MAC
address. Once you find that, look at the source MAC address, and then in
your ARP cache to see which computer is the source.

Note that the "Magic Packet" may be a packet with _any_ protocol (TCP,
UDP, ICMP, IPX, Appletalk, XNS - it doesn't matter). Most of the current
implementations use either ICMP or UDP because other protocols require a
handshake before data transfer. If you are using a packet sniffer, I
would not specify a protocol, but would look for packets with a destination
address of the "target" system (although the "Magic Packet" format does not
require that the Ethernet packet destination be that of the target - the
packet need only be seen on the wire).

Old guy

Thanks a lot for this documentation!
I'm going to test this week!

>>How can I find the magic packet sender ?
>
>A "Magic Packet" is any Ethernet packet that contains at least sixteen
>repeats of the 'target' MAC address. If the Ethernet address of a target
>computer is 01:02:03:04:05:06 (6 bytes), then the LAN controller of that
>machine should be looking for the following sequence
> FFFFFFFFFFFF01020304050601020304050601020304050601 0203040506
> 01020304050601020304050601020304050601020304050601 0203040506
> 01020304050601020304050601020304050601020304050601 0203040506
> 010203040506010203040506
>inside the frame. Do you have 'ngrep' on your system?
>
>[compton ~]$ whatis ngrep
>ngrep (8) - network grep
>[compton ~]$
>
>If not, use any packet sniffer you have, and save the data to a file which
>you can then 'grep' for the sequence of several repetitions of the MAC
>address. Once you find that, look at the source MAC address, and then in
>your ARP cache to see which computer is the source.
>
>Note that the "Magic Packet" may be a packet with _any_ protocol (TCP,
>UDP, ICMP, IPX, Appletalk, XNS - it doesn't matter). Most of the current
>implementations use either ICMP or UDP because other protocols require a
>handshake before data transfer. If you are using a packet sniffer, I
>would not specify a protocol, but would look for packets with a destination
>address of the "target" system (although the "Magic Packet" format does not
>require that the Ethernet packet destination be that of the target - the
>packet need only be seen on the wire).
>
> Old guy