Re: Help Interpreting data from Wireshark

On Sun, 04 Feb 2007, in the Usenet newsgroup comp.os.linux.security, in article
<07sxh.15530$Xq6.10441@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>, DaveM wrote:

Today while on the Internet I got the following data from
p54A05FE2.dip.t-dialin.net on my Wireshark display.

That seems to be set in the "Baffle 'em with technobabble" mode.

A quick search on Google indicates a spammer.

One wonders what you set for search keywords.

Can someone help me interpret this data and recommend a security
posture to mitigate?

Disable Wireshark.

What concerns me is that the packet seemed to have a source address of
192.168.1.1 but later in the packet you see the dest as 84.160.95.226

Most likely reason is the host that generated the packet is behind a
router/cablemodem/port-forwarder device like you. I'm a lot more
concerned with the received TTL below.

How do I know if they actually logged onto my machine? I searched
/var/log but found nothing.

Because they didn't. This packet is an ICMP error message (go away,
there's no one listening at the port YOU tried to connect to) in
response to a UDP packet that claims to have come from you, but was
almost certainly spoofed. Bottom line: typical Internet noise.

I only listed one packet for the example but got a boat load on my
screen. Data follows:

Let's see if we can cut through the mountains of bullsh!t this contains.

Protocol Info
4913 2007-02-04 15:48:00.462669 p54A05FE2.dip.t-dialin.net DENVER.local
ICMP Destination unreachable (Port unreachable)

See RFC0792 "Internet Control Message Protocol (ICMP)". That German host
is refusing to accept a packet that it was told came from you, and is
telling you to stop bothering it.

Frame 4913 (134 bytes on wire, 134 bytes captured)

Technobabble - aren't you impressed

Internet Protocol, Src: p54A05FE2.dip.t-dialin.net (84.160.95.226), Dst:
DENVER.local (192.168.2.101)

More technobabble - only thing interesting here is

Time to live: 255

TTL was set to maximum, and not decremented enroute. Suspicious, as this
violates RFC1812 and is thus unlikely. I'd be looking at the next hop
box - the one with the "TECOM Co., Ltd." network card - for more details.

Ethernet II, Src: 192.168.1.1 (00:03:c9:5b:40:0f), Dst: DENVER.local
(00:0e:2e:99:72:ee)

"00:03:c9" is the "TECOM" box, and the packet is being sent to a box with
a "Edimax Technology" ("00:0e:2e") NIC, which is probably "this" box.

Internet Control Message Protocol

What's in this packet

Internet Protocol, Src: DENVER.local (192.168.2.101), Dst:
p54A05FE2.dip.t-dialin.net (84.160.95.226)

And this is the packet that caused the ICMP message - note that it CLAIMS
to have come from you

Time to live: 64
Protocol: UDP (0x11)

with a _RECEIVED_ TTL of 64 and containing a UDP packet

User Datagram Protocol, Src Port: rfe (5002), Dst Port: 5010 (5010)

Hard to say - something on "your" end (sometimes "Radio Free Ethernet")
sent something to "TelepathStart", but 'Yahoo! Messenger' also uses that
port.

Real-Time Transport Protocol

That _suggests_ it might be RFE (streaming audio of some kind).

Minor problem - the "received TTL' of 64 suggests a spoofed packet, as it
either began life with a TTL of 64 (and wasn't decremented enroute) or
128 (and went through 64 hops to get "there" - I don't think so).

Old guy

.