I finally got monnet, my simplistic network monitor/dumping program, working under Linux kernels higher than 2.2. I wrote it a few years ago, both as an educational experience, and as a tool to see what activity existed on the network at work. I like it better than tcpdump or ethereal because it shows the traffic in real time with a concise summary:
>
```
S:02608CD87517 D:0014BF4DECE5 ARP A:request ETH:IPv4 10.0.0.1 10.0.0.160
S:0014BF4DECE5 D:02608CD87517 ARP A:reply ETH:IPv4 10.0.0.160 10.0.0.1
S:02608CD87517 D:000D935D6D86 ARP A:request ETH:IPv4 10.0.0.1 10.0.0.13
S:000D935D6D86 D:02608CD87517 ARP A:reply ETH:IPv4 10.0.0.13 10.0.0.1
S:0040332E103C D:02608CD87517 IPv4 S:10.0.0.3 D:10.0.0.1 UDP S:NTP D:NTP 62
S:02608CD87517 D:0040332E103C IPv4 S:10.0.0.1 D:10.0.0.3 UDP S:NTP D:NTP 62
S:0014BF4DECE5 D:02608CD87517 IPv4 S:10.0.0.160 D:69.59.240.102 UDP S:(10000) D:(10000)
S:02608CD87517 D:0014BF4DECE5 IPv4 S:69.59.240.102 D:10.0.0.160 UDP S:(10000) D:(10000)
S:0040332E103C D:000D935D6D86 ARP A:request ETH:IPv4 10.0.0.3 10.0.0.13
S:000D935D6D86 D:0040332E103C ARP A:reply ETH:IPv4 10.0.0.13 10.0.0.3
S:000D935D6D86 D:0040332E103C IPv4 S:10.0.0.13 D:10.0.0.3 TCP AP S:(52643) D:SSH 58
S:0040332E103C D:000D935D6D86 IPv4 S:10.0.0.3 D:10.0.0.13 TCP A S:SSH D:(52643) 10
S:000D935D6D86 D:0040332E103C IPv4 S:10.0.0.13 D:10.0.0.3 TCP AP S:(52643) D:SSH 58
```
That's the output from my home network for a few seconds of activity. I find it interesting to see the traffic that floats across the network, and I've already found some interesting stuff at work—like the Cisco router one of our customers is running (he forgot to turn off the Cisco Discovery Protocol, and it's leaking out onto our network), or the ICMP (Internet Control Message Protocol) router discovery packets (again, from said customer), IGMP (Internet Gateway Message Protocol) packets (from yet a different customer with a talkative router), the Spanning Tree Protocol the various switches use to communicate, and then there's the weird stuff.
>
```
S:00E0B0641863 D:00E0B0641863 (9000) 60
```
And then there's:
>
```
S:00E0B0641862 D:AB0000020000 DNARC 63
```
I have this as the “DEC (Digital Electronics Corporation) DNA Remote console,” but as far as I know, we have no DEC equipment anywhere on our network. And from the looks of it, both alien packets derive from the same (or similar) equipment, but the really odd thing about this (as if things weren't weird enough) is that I can't reconcile the locations I saw these two packets—different segments of our network (i.e. the network segment I saw the first wierd packet is physically disjointed from the network segment I saw the second weird packet).
I wonder …
Did I perhaps discover the mysterious Halloween Packets?
What was that noise?
It came from the wiring closet—
Excuse me while I go check it out.