Comments on: Packet School 101 – Part 3

By: csanders

csanders — Sun, 05 Sep 2010 20:41:11 +0000

Anonymous – Good catch. I am in the habit of always clearing my filters after everything I do so I never ran into this, but I could see where someone could. I made the mistake of forgetting to clear my filter one to many times and eventually it just got ingrained into me. Thanks!

By: Anonymous

Anonymous — Fri, 20 Aug 2010 15:05:40 +0000

Chris – Just some Eratta: You instruct the reader to remove arp packets from view, then you talk about time and reference the time difference between packet 3 and packet 4 which should be filtered out if the reader is diligently following your instructions.

By: Stavan

Stavan — Thu, 12 Apr 2007 03:40:27 +0000

This is extremely helpful….I am actually understanding the flow…Can you please put some more exercise for Entry Level students?

By: ROFL

ROFL — Thu, 01 Feb 2007 07:41:38 +0000

I saw that you say “remove” the ARP packets from the filter, Don’t forget that layer 2/3 transversal with MAC broadcasts causes the NIC or NODE interface to stop everything that it is doing to check to see if it has the IP address in the ARP question, if this happens too fast, too many arp questions per milisecond, the NIC will not let logical layer request physical layer time, untill the ARP stream has stopped long enough for the logical layer’s IRQ to be listened to, most nics require =/>4ms between ARP packets to see any other requests.. you wind up with a latency on the original IRQ for however many ms it takes for the stream of ARP packets to stop long enough for that window of time etc or some such thing… it takes a little break to talk out on the network, you can even get lack of receival of requested packets if more ARP streams continue after the original request goes out, the incoming packets are hitting a brick wall, most consumer devices do not have the MEMORY capacity to store the incoming ack’s and stuff long enough so their ttl expires waiting for arp questions to be finished… some hackers have the MS down to an art where they can determine exactly when they need to issue arp’s to block connectivity, without an actual tracable DOS, because they are employed by the ISP, so if they got caught, they would face serious fraud charges for causing many people to pay for inhome computer service repair by the ISP crew while their partner reconfigures the router to stop the ARP wave

By: johnstev

johnstev — Thu, 03 Aug 2006 07:35:28 +0000

A great introduction to a subject I know little about.

Keep up the good work.

By: li

li — Fri, 28 Jul 2006 08:56:49 +0000

good.thanks.

By: c4

c4 — Mon, 10 Jul 2006 19:19:38 +0000

good stuff, i use alot of this at work,,, i was wondering if you can elaborate on the coloring of the capture ..

and if thier is a was to start a capture every lets say 60 seconds to have a long but not big trace of the network health

By: Frank

Frank — Fri, 07 Jul 2006 13:26:47 +0000

This is good stuff Chris. Keep it up. I’d love to see more lessons on other topics in the future.

By: Chris Sanders » Packet School 101 - Part 2

Chris Sanders » Packet School 101 - Part 2 — Thu, 06 Jul 2006 19:56:57 +0000

[...] Packet School 101 – Part 3 [...]