RE: bad traffic loopback traffic

["Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>]

Not being an expert on tcpdump - or tcp/ip - when you say mac address, do
you mean 0:60:1d:0:6:a0?  It looked like a mac to me, but I wasn't sure.

OK, problem solved, machine found and silenced.

Thanks!

--- twig les [mailto:twigles () yahoo com]
wrote:

> What machine owns that MAC address?


--- "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
wrote:
> hello all,
>
> I'm getting a lot of bad traffic loopback traffic alerts
> (sid=528) from
> 127.0.0.1:1024 to 255.255.255.255:67.  
> tcpdump -e -i lo0 -n records no packets, even when new alerts
> are being
> generated.  
> tcpdump -e -i xl0 -n host 127.0.0.1 gets this:
>
> 11:59:32.949764 0:60:1d:0:6:a0 ff:ff:ff:ff:ff:ff 0800 586:
> 127.0.0.1.1024 >
> 255.255.255.255.67:  (request) xid:0x641b767c secs:32768
> [|bootp]
>
> and a whole lot more like it (like 2500+ alerts on snort
> today, and this has
> been going on for the life of this machine, about a week). 
> I'm confused.
> What's going on here?  I'm not running a dhcp client or
> server, and for that
> matter, lo0 is silent unless i deliberately use it (I left
> tcpdump on for a
> half hour, the only thing it logged was when I pinged
> localhost).  Where is
> this traffic coming from and is it valid (and if so, why is it
> so
> persistant?).
>
> your thoughts are appreciated.
>
>
> Benjamin
>
> Other/ More Info:
> Snort is started with -i xl0
> I am currently on a switch waiting to move to a hub


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com