Strange tcpdump file
From: Lindsay (lmf1t@cstone.net)Date: 10/20/01
- Previous message: Mike Peterson: "Trojan Program Thread"
- Next in thread: vern@ee.lbl.gov: "Re: Strange tcpdump file"
- Reply: vern@ee.lbl.gov: "Re: Strange tcpdump file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BD1D923.160CF444@cstone.net> Date: Sat, 20 Oct 2001 16:05:56 -0400 From: Lindsay <lmf1t@cstone.net> To: incidents@securityfocus.com Subject: Strange tcpdump file
In the several years I've been using tcpdump to capture interesting
packets, the filter
"not ( ip proto icmp or ip proto tcp or ip proto udp )"
had never logged anything. Until I found the following "packet" capture:
http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log
Ethereal version 0.8.20 shows that the packet has IP header length of 0.
Interestingly, the capture is 1460 bytes in length (less than the
1500-byte snap length), and it just so happens that stepping into the
zero-length header (!) shows the packet-length field to be 0x05b4 or
1460. It seems that tcpdump (version 3.4) / libpcap (version 0.4)
interprets (some) IP header fields even though the header length is
zero.
I've tried to replicate the packet by revisiting the web sites I had
visited just before the anomalous packet, but no luck. Snort was silent,
as was ipchains. Has anybody an idea of what this is? I don't see how it
could possibly be routed, so I tend to think ... just a hiccough, noise
on the line, whatever....
Lindsay
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Mike Peterson: "Trojan Program Thread"
- Next in thread: vern@ee.lbl.gov: "Re: Strange tcpdump file"
- Reply: vern@ee.lbl.gov: "Re: Strange tcpdump file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
