Sniffing for a virus

[Kozusnik]

Does anyone have a suggestion for sniffing a network for infected computers? I've tried ethereal and nmap, neither seem to do the job well enough, or maybe I'm missing something.

The situation is we have a virus on several computers at work. I'm a systems guy, OS/400, VMS, Linus, etc. I don't deal with M$. I'm trying to help our network team track down infected computers.

Any help would be appreciated.

TIA,
Mark


SELECT * FROM management WHERE clue > 1
> 0 rows returned

--ThinkGeek T-Shrit

 

[PeterHurst]

It really depends on the virus - I have spotted quite a few recently by looking for machines attempting to ARP ip's that are not allocated on our range.

We have 172.16.x.x but only use a few of the available subnets.. so if I see a machine ARPing 172.16.32.12 I know something is wrong. I also look at machines sending big bursts of ARPs..

I have in the past spotted some by looking for netbios traffic as one recent virus was sending out Netbios requests to a non-existant workgroup.

 

[code9527]

hi Kozusnik,you can use "Sniffer Portable ".frist you can

use its host table function ,finding which pc is sending

the most packets .Second, if you found it,you can use its

matrix and decode function to analyze packets,finding which

type packet is sended.At last remove virii

(sorry for my poor eng )