[ale] Weird TCP dump
Michael D. Hirsch
mhirsch at nubridges.com
Tue Sep 30 11:45:27 EDT 2003
On Tuesday 30 September 2003 10:52 am, Chris Ricker wrote:
> On Mon, 29 Sep 2003, Michael D. Hirsch wrote:
> > anyone recognize this? I'm getting really weird tcpdump logs from a box.
> > I've put a representative sample below. Why are things being sent on
> > loopback with unusual addresses? What is ip-proto-0? Have I been
> > hacked?
>
> IP Protocol 0 was reserved, but is now used for IPv6
>
> > 15:58:43.165620 127.0.0.197 > 108.122.0.0: ip-proto-0 0 (DF) [tos
> > 0x7,ECT,CE]
>
> FYI, 108/8 is reserved space
>
> Couple of questions:
>
> 0. Can you get a complete capture of the payload of one of these?
Probably. What should I look for?
> 1. When you say they're being sent on loopback, where did you actually
> capture these (meaning, were you tcpdumping lo, or eth0, or what?)
This was a tcpdump of eth0.
> 2. Do you have Solaris boxes around?
I suspect there are Solaris systems on the network, though this dump was on an
x86 linux box without ipv6.
Thanks,
Michael
More information about the Ale
mailing list