Using Sysmon to Detect Faulty Hardware

No sooner had I posted the entry on Sysmon than it detected a network problem. Two of my systems were unreachable. They both sat of a DMZ leg of my gateway. After troubleshooting at various layers I narrowed the issue down to a faulty NIC in the gateway. How often does that happen? Unfortunately the bad NIC is a Intel PRO/100+ Dual Port Server Adapter (PILA8472). When trying to ping out from the NIC to the DMZ, here's the sort of traffic the NIC generated:

00:39:18.628691 192.168.60.1 > 192.168.60.3: icmp: echo request
00:39:19.638731 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=80
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
00:39:20.648696 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=80
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
00:39:21.658706 192.168.60.1 > 192.168.60.3: icmp: echo request
00:39:22.668711 192.168.60.1 > 192.168.60.3: icmp: echo request
00:39:23.678706 192.168.60.1 > 192.168.60.3: icmp: echo request
00:39:24.688706 192.168.60.1 > 192.168.60.3: icmp: echo request
00:39:25.698714 0:0:0:0:ff:54 0:0:0:0:0:0 2410 98:
8d44 2414 50f7 4054 0000 0200 7503 8e68
14b8 5801 0000 50cd 80eb fe90 ff54 2410
8d44 2414 50f7 4018 0000 0200 7503 8e68
44c7 404c 16d5 0100 b858 0100 0050 cd80
ebfe 89f6 2c8f 1128 0100 0000 0cfe bfbf
0100 0000

That is truly bizarre. I replaced the NIC with an Adaptec ANA-62044 PCI quad NIC.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics