Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Strange tcpdump file

From: Lindsay <lmf1t () cstone net>
Date: Sat, 20 Oct 2001 16:05:56 -0400
In the several years I've been using tcpdump to capture interesting
packets, the filter
"not ( ip proto icmp or ip proto tcp or ip proto udp )"
had never logged anything. Until I found the following "packet" capture:

http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log

Ethereal version 0.8.20 shows that the packet has IP header length of 0.
Interestingly, the capture is 1460 bytes in length (less than the
1500-byte snap length), and it just so happens that stepping into the
zero-length header (!) shows the packet-length field to be 0x05b4 or
1460. It seems that tcpdump (version 3.4) / libpcap (version 0.4)
interprets (some) IP header fields even though the header length is
zero.

I've tried to replicate the packet by revisiting the web sites I had
visited just before the anomalous packet, but no luck. Snort was silent,
as was ipchains. Has anybody an idea of what this is? I don't see how it
could possibly be routed, so I tend to think ...  just a hiccough, noise
on the line, whatever....

Lindsay


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: