[ale] Weird TCP dump

Chris Ricker kaboom at gatech.edu
Tue Sep 30 12:00:00 EDT 2003


On Tue, 30 Sep 2003, Michael D. Hirsch wrote:

> Probably.  What should I look for?

I'm not sure ;-). The actual payload would be good, just to see what the 
traffic is. Mapping the source MAC address to a machine on the network would 
be good too (though it might be spoofed)

> > 1. When you say they're being sent on loopback, where did you actually
> > capture these (meaning, were you tcpdumping lo, or eth0, or what?)
> 
> This was a tcpdump of eth0.

Okay. It could be spoofed, but it might be legitimate (like, for example,
Solaris doing its thing). That's why the packet capture might help

> > 2. Do you have Solaris boxes around?
> 
> I suspect there are Solaris systems on the network, though this dump was on an 
> x86 linux box without ipv6.

Sun boxes have a default route to loopback for 127.0.0.1/32 only, rather 
than 127/8 like, say, Linux does, so sometimes when you see weird 127/8 
addresses in packets on your network, it's just a sign that you need to 
adjust the routes on the Sun boxes. Here the 127/8 address was the source 
and not the destination if I remember right, though....

later,
chris



More information about the Ale mailing list