Snort mailing list archives

RE: a lot of Loopback traffic being logged.

From: Milan Kocián <milon () wq cz>
Date: Sun, 25 Apr 2004 20:24:14 +0200

On Fri, 2004-04-23 at 19:23, Chuck Holley wrote:

Did you sniff for 127.0.0.1 packets?  Im using tcpdump and I sniffed for a
while with this command:  tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump

Im assuming im doing this right.  Im trying to log only packets form
127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and write
to a file called dump.

Now, I did this and got two loggings in tcpdump:

13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack 799408129
win 0
13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack 1316880385
win 0

hal2 is the server that has tcpdump on it. Is this machine one of the boxes
that is sending out the 127.0.0.1, or did I simply pickup two packets sent
out form hal2 to these other machines. 

I looked at snort and the exact same ip's, with the exact same ports were
logged coming from 127.0.0.1

To say the least im confused even more!!


Hi,
 I see it on my external interface too. I used tcpdump with -e parameter
to display MAC address of the sender.

tcpdump -e -i eth1 src host 127.0.0.1

I find that MAC address of loopback packets is my ISP's Cisco switch.

So all packets come from external network (I think). I am connected over
wi-fi AP and when I sniffed, I have seen that these packets coming to
most connected people in this AP.

I don't know what it can be.

Regards,

Milan Kocian



-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: a lot of Loopback traffic being logged., (continued)
- - - RE: a lot of Loopback traffic being logged. Harry Bloomberg (Apr 22)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 22)
  - Need configuration help Tinni (Apr 22)
    - How to start snort for multiple servers' traffic Tinni (Apr 23)
    - Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- Re: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 22)
  - RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
    - RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
    - RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 23)
- RE: a lot of Loopback traffic being logged. rod (May 27)
  - RE: a lot of Loopback traffic being logged. Alejandro Flores (May 27)
    - RE: a lot of Loopback traffic being logged. rod (May 28)
  - how to clean up database? Cesar (May 27)