[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Weird TCP dump

Subject: [ale] Weird TCP dump
From: kaboom at gatech.edu (Chris Ricker)
Date: Tue Sep 30 10:53:17 2003
In-reply-to: <[email protected]>
References: <[email protected]>

On Mon, 29 Sep 2003, Michael D. Hirsch wrote:

> anyone recognize this?  I'm getting really weird tcpdump logs from a box.  
> I've put a representative sample below.  Why are things being sent on 
> loopback with unusual addresses?  What is ip-proto-0?  Have I been hacked?

IP Protocol 0 was reserved, but is now used for IPv6

> 15:58:43.165620 127.0.0.197 > 108.122.0.0:  ip-proto-0 0 (DF) [tos 0x7,ECT,CE] 

FYI, 108/8 is reserved space

Couple of questions:

0. Can you get a complete capture of the payload of one of these?
1. When you say they're being sent on loopback, where did you actually 
capture these (meaning, were you tcpdumping lo, or eth0, or what?)
2. Do you have Solaris boxes around?

later,
chris

Follow-Ups:
- [ale] Weird TCP dump
  - From: mhirsch at nubridges.com (Michael D. Hirsch)

References:
- [ale] Weird TCP dump
  - From: mhirsch at nubridges.com (Michael D. Hirsch)

Prev by Date: [ale] wireless mouse/keyboard
Next by Date: [ale] SCO visiting Atlanta
Previous by thread: [ale] Weird TCP dump
Next by thread: [ale] Weird TCP dump
Index(es):
- Date
- Thread