Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange packet

From: todb () planb-security net
Date: Wed, 12 May 2004 07:23:20 -0500 (CDT)
Anyone have an idea of what is this?



2004-05-12 11:01:08.707097 IP (tos 0x0, ttl 255, id 9278, offset 0, flags
[none], length: 576, bad cksum 3560 (->aa84)!) 186.186.186.186.47802 >
186.186.186.186.47802: UDP, length: 47794


186.186.186.186 equals 0xBABABABA, and the 47802 port also equals 0xBABA
-- so it's certainly a mangled packet. The TTL of 255 means that it must
have been generated locally, not to mention the reserved address space of
186/8.

Use the -e switch (for snort or tcpdump) to get the MAC address of the
sender (assuming that's not getting garbled, too), and track it down that
way. HTH.

-- 
Tod



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: