RE: Unrecognised packets

["Daniska Tomas" <tomas () tronet com>]

cw,

i think the frame 5 was just misinterpreted by ethereal (probably it
found some initial byte sequence that made it consider the frame this
way). if you go through the decode you'll find out that the data
contained in the (claimed) 'q.931' part is something really far from
q.931 - most of the elements are unknown, with some weird data.

just a wrong decoding teplate applied, possibly one that'd be used for
decoding h.225 frames (but h.225 runs on different tcp port than 1199)


hope this helps


deejay


--
 
Tomas Daniska
systems engineer
Tronet Computer Networks
Plynarenska 5, 829 75 Bratislava, Slovakia
tel: +421 2 58224111, fax: +421 2 58224199
 
A transistor protected by a fast-acting fuse will protect the fuse by
blowing first.



> -----Original Message-----
> From: cw [mailto:security () fidei co uk] 
> Sent: 20. augusta 2002 12:48
> To: nanog () merit edu
> Subject: Unrecognised packets
>
>
> Hi there folks, sorry if you're on the securityfocus 
> incidents list and have received another version of this but 
> as this has protocol info I thought I might ask here.
> Background: Friday 9th I noticed my laptop running slowly and 
> unstable. I assumed that applying SP3 had broken it so I reinstalled.
> Tue 13th I noticed logs in the firewall of my desktop which 
> showed a prolonged scan of ports 50000-50099 on my desktop 
> machine. The scan had originated from the ip of my laptop.
> After a bit of thinking, I remember my desktop firewall 
> complaining about some other packets at the time. IIRC there 
> were packets from my laptop set at ip protocol 60 hitting my 
> desktop. I also remember some packets set at ip protocol 0 
> coming from external ip addresses (not of our network). I was 
> busy with work at the time so I blocked the packets and 
> subsequently forgot about them.
>
> Due to my wiping the laptop before noticing the firewall logs 
> I was unable to figure out what had happened. The thing is, 
> now I'm starting to see some activity I'm not expecting again.
> Prior to last week I was running Win2K on it with SP2 
> (upgraded to SP3 around the same time).
> When I reinstalled I put WinXP on.
> The laptop has been running Kerio as a firewall with as many 
> services as possible turned off.
>
> Today my firewall has picked up another packet from my laptop 
> that was ip protocol 60 (not port 60 but protocol 60). After 
> spotting this I loaded up ethereal and started capturing.
>
> aa.bb.cc.dd = laptop ip
> dd.cc.bb.aa = desktop ip
>
> I'm not familiar with all the protocols involved, so if my 
> searches are correct Q.931 is an ISDN control protocol. This 
> is odd because this is coming over a lan and neither machines 
> have any ISDN hardware or software.
>
> Secondly there is the IP packets with a header length of 0. 
> I'm not sure if these are related but the reason I include 
> them is because the source MAC addresses are only a slight 
> variation on that of my laptop. That is my laptop starts 
> 00:50 whilst these packets start 45:00. The rest is the same.
>
> All these packets were captured using the host aa.bb.cc.dd 
> (where aa.bb.cc.dd eq laptop ip) filter (details in attachment).
>
> If anyone can advise me on the purpose of these packets I 
> would appreciate it as to the best of my knowledge they have 
> no valid purpose.
>
> Cheers.