Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13

[Valdis.Kletnieks () vt edu]

On Fri, 22 Mar 2002 10:29:56 PST, seren geti <serengeti () firstlinux net>  said:

> snort[1955]: [1:1321:4] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {MERIT-INP} 7.0.1.0 -> 
> 14.0.2.13
>
> I'll attach the packet that was captured.
>
> Because it froze the ServerIron and Snort is running off of a mirrored port, I only got the first packet.  I'm not 
> sure if there were more or not.  I didn't find any evidence of this packet on other devices.
>
> I have many questions:  What is the MERIT-INP protocol used for?  All I've been able to find is that it's number 32.
>
> How would one of these get into my network, or what creates these?

My first guess would be a broken/jabbering transciever or other error.  Also,
look at the possibility that you missed start of a header, so the fields are all
offset by a bit (this will require some hand-decoding of packets).  Look for
something that's a valid IP header either forward or back of where it's "supposed"
to be.  Another possibility is a string of datagrams with undetected collisions.
Look to see if all those segments that start off with 08 00 30 30... FF FF FF
make sense as broadcat packets - 48 bits of the offendign station's MAC, followd
by 48 bits of MAC broadcast...
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: