What's This?

This entry has come from a tcpdump from within a firewalled lan. The
network is mostly windows boxes with some linux servers and routers.
I don't know of any pc on the network with this mac address. They're
happening a approximately one minute intervals.


01:01:40.514572 0:60:b0:18:c7:75 > ff:ff:ff:ff:ff:ff sap e0 ui/C
>>> Unknown IPX Data: (79 bytes)
[000] FF FF 00 60 00 00 00 00 00 00 FF FF FF FF FF FF
....`............
[010] 04 52 00 00 00 00 00 60 B0 18 C7 75 04 52 00 02 .R.....`
....u.R..
[020] 03 0C 30 30 36 30 42 30 31 38 43 37 37 35 38 30 ..0060B0
18C77580
[030] 43 36 4E 50 49 31 38 43 37 37 35 00 00 00 00 00 C6NPI18C
775.....
[040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
len=96

Dan wrote:
>
> 01:01:40.514572 0:60:b0:18:c7:75 > ff:ff:ff:ff:ff:ff sap e0 ui/C
>
>>>>Unknown IPX Data: (79 bytes)

It's a SAP. One of your boxes has IPX installed, and will advertise its
services every 60 seconds.

On Sat, 21 May 2005 06:12:51 +0200, KR
<(E-Mail Removed)> wrote:

>It's a SAP. One of your boxes has IPX installed, and will advertise its
>services every 60 seconds.

I'm trying to figure out what and where the box is. I'm not familiar
with IPX. Is this a network printer?

Dan

Dan wrote:
> On Sat, 21 May 2005 06:12:51 +0200, KR
> <(E-Mail Removed)> wrote:
>
>
>>It's a SAP. One of your boxes has IPX installed, and will advertise its
>>services every 60 seconds.
>
>
> I'm trying to figure out what and where the box is. I'm not familiar
> with IPX. Is this a network printer?
>
> Dan
>
Could well be. I think many network print servers like to
advertise themselves using IPX SAP. Ethereal may tell you a
little more - it decodes IPX.

Steve

On 2005-05-21, Dan <(E-Mail Removed)> wrote:

> I'm trying to figure out what and where the box is. I'm not familiar
> with IPX. Is this a network printer?

IPX is the network protocol used by Novell Netware, which has been supported
by the Linux kernel for many years.
--
Carl Fink (E-Mail Removed)
If you attempt to fix something that isn't broken, it will be.
-Bruce Tognazzini

Dan <(E-Mail Removed)> said:
>This entry has come from a tcpdump from within a firewalled lan. The
>network is mostly windows boxes with some linux servers and routers.
>I don't know of any pc on the network with this mac address. They're
>happening a approximately one minute intervals.
>
>
>01:01:40.514572 0:60:b0:18:c7:75 > ff:ff:ff:ff:ff:ff sap e0 ui/C

Ok, you already got a description of the data.

Now, the 0:60:b0:18:c7:75 is the MAC address of the device; you could
look from IANA databases to find out which hardware manufacturer that
address is assigned to, and thus limit your search.

You could also do a broadcast ping (ICMP) in your network, and then look
at the device ARP tables to possibly find that same MAC address there,
listed with an IP address. Perhaps the IP address is better in identifying
the device (and after getting the IP address, you could do a nslookup
on that - to possibly get the DNS name for the device, or you could
attempt a telnet or HTTP connection to the device, to identify it
based on telnet or http banners).
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

> You could also do a broadcast ping (ICMP) in your network, and then look
> at the device ARP tables to possibly find that same MAC address there,
> listed with an IP address. Perhaps the IP address is better in identifying
> the device (and after getting the IP address, you could do a nslookup
> on that - to possibly get the DNS name for the device, or you could
> attempt a telnet or HTTP connection to the device, to identify it
> based on telnet or http banners).

Nmap might tell you something useful.

In article <(E-Mail Removed)>, Dan wrote:

>This entry has come from a tcpdump from within a firewalled lan. The
>network is mostly windows boxes with some linux servers and routers.
>I don't know of any pc on the network with this mac address. They're
>happening a approximately one minute intervals.
>
>01:01:40.514572 0:60:b0:18:c7:75 > ff:ff:ff:ff:ff:ff sap e0 ui/C
>>>> Unknown IPX Data: (79 bytes)

[compton ~]$ etherwhois 00:60:b0
00-60-B0 (hex) HEWLETT-PACKARD CO.
0060B0 (base 16) HEWLETT-PACKARD CO.
MS 42LE
10000 WOLFE ROAD
CUPERTINO CA 95014
[compton ~]$

"Hi, I'm an HP Printer that would love to print your documents - remember
me when you need to print."

IPX is the network protocol used by Novell Netware. One of your printers
is configured to support that protocol.

Old guy