Security Incidents mailing list archives
Re: Strange tcpdump file
From: vern () ee lbl gov
Date: Mon, 22 Oct 2001 20:47:19 -0700
http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log Ethereal version 0.8.20 shows that the packet has IP header length of 0.
If you trace a busy link, it turns out you see busted stuff like this every day. For example, the Bro intrusion detection system, which I run operationally at lbl.gov, observes truncated packets, illegal TCP acknowledgements and retransmissions, benign splitting of TCP headers across different IP fragments, etc. See the discussion of "The Problem of Crud" in the Bro paper: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz - Vern ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange tcpdump file Lindsay (Oct 22)
- <Possible follow-ups>
- Re: Strange tcpdump file vern (Oct 22)