Unknown/Weird Traffic?

From: gs-list (gs-list@glsrms.com)
Date: 07/14/02 

Date: Sun, 14 Jul 2002 14:56:04 -0500
To: incidents@securityfocus.com
From: gs-list <gs-list@glsrms.com>

Folks:

I have a question that I cannot seem to answer. I just set up a firewall
box for a wireless network on SuSE 7.1. I just built a new kernel (2.2.20)
and am still having a strange issue.

Apparently, this box, (let's call it "28.100") is not properly interpreting
ARP traffic. When using TETHEREAL to capture traffic, I see this:

28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)

However, at the same time, I monitor the same line from another (identical)
machine, running SuSE 7.1 and Kernel 2.2.20, I get:

00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.98? Tell
216.12.28.97
00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106? Tell
216.12.28.97
00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106? Tell
216.12.28.97
00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106? Tell
216.12.28.97
00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106? Tell
216.12.28.97

It appears that in the first example, the machine is not properly
interpreting ARP traffic.

Any ideas on how to remedy this situation?

Thanks,
Gregg Sperling
glsrms.com administrator

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages