Strange tcpdump file

From: Lindsay (lmf1t@cstone.net)
Date: 10/20/01


Message-ID: <3BD1D923.160CF444@cstone.net>
Date: Sat, 20 Oct 2001 16:05:56 -0400
From: Lindsay <lmf1t@cstone.net>
To: incidents@securityfocus.com
Subject: Strange tcpdump file

In the several years I've been using tcpdump to capture interesting
packets, the filter
"not ( ip proto icmp or ip proto tcp or ip proto udp )"
had never logged anything. Until I found the following "packet" capture:

http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log

Ethereal version 0.8.20 shows that the packet has IP header length of 0.
Interestingly, the capture is 1460 bytes in length (less than the
1500-byte snap length), and it just so happens that stepping into the
zero-length header (!) shows the packet-length field to be 0x05b4 or
1460. It seems that tcpdump (version 3.4) / libpcap (version 0.4)
interprets (some) IP header fields even though the header length is
zero.

I've tried to replicate the packet by revisiting the web sites I had
visited just before the anomalous packet, but no luck. Snort was silent,
as was ipchains. Has anybody an idea of what this is? I don't see how it
could possibly be routed, so I tend to think ... just a hiccough, noise
on the line, whatever....

Lindsay

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages