Re: Anybody seen this before?
From:Date: 11/12/02
- Next message: : "Re: linux newbie: how to stop port scan abuse?"
- Previous message: Adam: "Re: disk cleaning tool?"
- In reply to: James Wyatt: "Anybody seen this before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Nov 2002 19:48:05 +0000 (UTC)
On Tue, 12 Nov 2002 00:58:18 GMT, James Wyatt <nobody@nowhere.com> wrote:
>I noticed some irregular traffic on my server. I did a tcp dump and this
>is what I got:
>> 17:48:16.149837 10.0.1.1.1901 > 239.255.255.250.1900: udp 266
>First of all: Who is 239.255.255.250? It looks a broadcast, but not
>quite. I tried to do a reverse dns lookup, no luck. I tried to nmap
>them, but the address does not appear up.
>Second: Why am I sending udp packets on port 1901? Any legitimate reason
>for me to send them?
The source is 10.0.1.1 and it is going to MULTICAST address
239.255.255.250. Someone is running some multicast software
(ntp uses multicast, some cisco routers do also, mbone traffic)
on your lan. Multicast can be used as a point to group broadcast
when you want (for example) video to go to a group of computers
but to be ignored by the rest.
If you use regular broadcast for this, every machine would see the
packets and have to process them. With multicast, some hardware can
drop unwanted packets (tulip driver for one) without bothering the
computer at all.
- Next message: : "Re: linux newbie: how to stop port scan abuse?"
- Previous message: Adam: "Re: disk cleaning tool?"
- In reply to: James Wyatt: "Anybody seen this before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
