Strange tcpdump file

From: Lindsay (
Date: 10/20/01

Message-ID: <>
Date: Sat, 20 Oct 2001 16:05:56 -0400
From: Lindsay <>
Subject: Strange tcpdump file

In the several years I've been using tcpdump to capture interesting
packets, the filter
"not ( ip proto icmp or ip proto tcp or ip proto udp )"
had never logged anything. Until I found the following "packet" capture:

Ethereal version 0.8.20 shows that the packet has IP header length of 0.
Interestingly, the capture is 1460 bytes in length (less than the
1500-byte snap length), and it just so happens that stepping into the
zero-length header (!) shows the packet-length field to be 0x05b4 or
1460. It seems that tcpdump (version 3.4) / libpcap (version 0.4)
interprets (some) IP header fields even though the header length is

I've tried to replicate the packet by revisiting the web sites I had
visited just before the anomalous packet, but no luck. Snort was silent,
as was ipchains. Has anybody an idea of what this is? I don't see how it
could possibly be routed, so I tend to think ... just a hiccough, noise
on the line, whatever....


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

Relevant Pages