Security Incidents mailing list archives
RE: wired traffic
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 30 Jan 2006 15:42:55 -0800
When I've seen bad checksums reported, it has been in one of two cases: 1. Captured packets were truncated to save disk space. (I don't think this applies.) 2. Source or destination address was spoofed, by code that changed those bytes AFTER the sender's checksum was calculated. So perhaps these packets are not really coming from your router? David Gillett
-----Original Message----- From: fowl8510 () unco edu [mailto:fowl8510 () unco edu] Sent: Monday, January 30, 2006 9:09 AM To: incidents () securityfocus com Subject: Re: wired traffic Sorry, I should've given a little more information. 192.168.1.1 is a linksys router. Here's the command and the output. I don't understand this traffic, but what confuses me even more is that the router is sending packets with bad checksums... sanctus:~ adam$ sudo tcpdump -i en2 -e -n -vvv -xx not host 192.168.1.100 tcpdump: listening on en2, link-type EN10MB (Ethernet), capture size 96 bytes 09:17:05.367722 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4711, offset 0, flags [none], length: 41) 192.168.1.1.5700 > 0.0.0.0.0: . [bad tcp cksum 61da (->89e6)!] 0:1(1) ack 0 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 1267 0000 9606 50bf c0a8 0101 0000 .).g....P....... 0x0020: 0000 1644 0000 0000 0000 0000 0000 5010 ...D..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:05.368290 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4712, offset 0, flags [none], length: 41) 192.168.1.1.1119 > 0.0.0.0.0: . [bad tcp cksum 61da (->9bcb)!] 0:1(1) ack 0 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 1268 0000 9606 50be c0a8 0101 0000 .).h....P....... 0x0020: 0000 045f 0000 0000 0000 0000 0000 5010 ..._..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:05.368926 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4714, offset 0, flags [none], length: 41) 192.168.1.1.1122 > 0.0.0.0.0: . [bad tcp cksum 61da (->9bc8)!] 0:1(1) ack 0 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 126a 0000 9606 50bc c0a8 0101 0000 .).j....P....... 0x0020: 0000 0462 0000 0000 0000 0000 0000 5010 ...b..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:05.369587 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4716, offset 0, flags [none], length: 41) 192.168.1.1.1126 > 0.0.0.0.0: . [bad tcp cksum 61da (->9bc4)!] 0:1(1) ack 0 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 126c 0000 9606 50ba c0a8 0101 0000 .).l....P....... 0x0020: 0000 0466 0000 0000 0000 0000 0000 5010 ...f..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:05.370277 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4718, offset 0, flags [none], length: 41) 192.168.1.1.1129 > 0.0.0.0.0: . [bad tcp cksum 61da (->9bc1)!] 0:1(1) ack 0 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 126e 0000 9606 50b8 c0a8 0101 0000 .).n....P....... 0x0020: 0000 0469 0000 0000 0000 0000 0000 5010 ...i..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:05.371108 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4720, offset 0, flags [none], length: 41) 192.168.1.1.1132 > 0.0.0.0.0: . [bad tcp cksum 61da (->9bbe)!] 0:1(1) ack 0 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 1270 0000 9606 50b6 c0a8 0101 0000 .).p....P....... 0x0020: 0000 046c 0000 0000 0000 0000 0000 5010 ...l..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:05.371707 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4723, offset 0, flags [none], length: 41) 192.168.1.1.1137 > 0.0.0.0.0: . [bad tcp cksum 61da (->9bb9)!] 0:1(1) ack 0 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 1273 0000 9606 50b3 c0a8 0101 0000 .).s....P....... 0x0020: 0000 0471 0000 0000 0000 0000 0000 5010 ...q..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:06.413277 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4724, offset 0, flags [none], length: 41) 192.168.1.1.5700 > 0.0.0.0.0: . [bad tcp cksum 61da (->89e6)!] 0:1(1) ack 1 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 1274 0000 9606 50b2 c0a8 0101 0000 .).t....P....... 0x0020: 0000 1644 0000 0000 0000 0000 0000 5010 ...D..........P. 0x0030: 0000 61da 0000 4e ..a...N 09:17:06.414029 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 4725, offset 0, flags [none], length: 41) 192.168.1.1.1119 > 0.0.0.0.0: . [bad tcp cksum 61da (->9bcb)!] 0:1(1) ack 1 win 0 0x0000: ffff ffff ffff 000f 66a7 b84b 0800 4500 ........f..K..E. 0x0010: 0029 1275 0000 9606 50b1 c0a8 0101 0000 .).u....P....... 0x0020: 0000 045f 0000 0000 0000 0000 0000 5010 ..._..........P. 0x0030: 0000 61da 0000 4e ..a...N
Current thread:
- wired traffic fowl8510 (Jan 29)
- Re: wired traffic Charles Hamby (Jan 30)
- <Possible follow-ups>
- Re: wired traffic fowl8510 (Jan 30)
- RE: wired traffic David Gillett (Jan 30)
- Re: wired traffic ramez . hanna (Jan 30)
- Re: wired traffic Bob Radvanovsky (Jan 30)