Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange tcpdump file

From: vern () ee lbl gov
Date: Mon, 22 Oct 2001 20:47:19 -0700
http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log

Ethereal version 0.8.20 shows that the packet has IP header length of 0.


If you trace a busy link, it turns out you see busted stuff like this
every day.  For example, the Bro intrusion detection system, which I run
operationally at lbl.gov, observes truncated packets, illegal TCP
acknowledgements and retransmissions, benign splitting of TCP headers
across different IP fragments, etc.  See the discussion of "The Problem
of Crud" in the Bro paper:

        ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

- Vern

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: