Security Incidents mailing list archives
Strange tcpdump file
From: Lindsay <lmf1t () cstone net>
Date: Sat, 20 Oct 2001 16:05:56 -0400
In the several years I've been using tcpdump to capture interesting packets, the filter "not ( ip proto icmp or ip proto tcp or ip proto udp )" had never logged anything. Until I found the following "packet" capture: http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log Ethereal version 0.8.20 shows that the packet has IP header length of 0. Interestingly, the capture is 1460 bytes in length (less than the 1500-byte snap length), and it just so happens that stepping into the zero-length header (!) shows the packet-length field to be 0x05b4 or 1460. It seems that tcpdump (version 3.4) / libpcap (version 0.4) interprets (some) IP header fields even though the header length is zero. I've tried to replicate the packet by revisiting the web sites I had visited just before the anomalous packet, but no luck. Snort was silent, as was ipchains. Has anybody an idea of what this is? I don't see how it could possibly be routed, so I tend to think ... just a hiccough, noise on the line, whatever.... Lindsay ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange tcpdump file Lindsay (Oct 22)
- <Possible follow-ups>
- Re: Strange tcpdump file vern (Oct 22)