[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    AW: Odd tcp packets with zeroed flags
From:       "Faust, Andreas" <Andreas.Faust () STAR-21 ! DE>
Date:       2001-01-18 15:07:15
[Download RAW message or body]

> Does anyone could explain to me the meaning of this packets?
> I'm receiving them every day and always to the same from different
> hosts...
>
> Here's the dump of some of them:
>
> 01/12-12:23:39.033146 0:E0:1E:9C:D2:81 -> 8:0:20:B0:C7:F1
> type:0x800 len:0x5FC
> x.x.x.x:0 -> server:0 TCP TTL:125 TOS:0x10 ID:39706 IpLen:20
> DgmLen:1480
> ******** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 0
[snip]
> ....................2>&nbsp;&nbs
hmm looks like some html code ...

> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+

> 01/12-12:36:22.667276 0:E0:1E:9C:D2:81 -> 8:0:20:B0:C7:F1
> type:0x800 len:0x5FC
> x.x.x.x:0 -> server:0 TCP TTL:125 TOS:0x0 ID:5891 IpLen:20
> DgmLen:1480
> ******** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 0
> ................ ...............................................
[snip]
> ................................................................
> ..................../DIV>..<DIV>
here again ...

I don't think it's a scan or an attack. It looks more like a broken tcpstack
or something similar.
I would try to find out where this traffic originates from, and why it all
goes to one single box.

Try to capture more of these packets. They might give you a clue where to
look for the problem.
maybe one of the sysadmins on the other network can help you recording
traffic on his side.
You also didnt mention if there is any outbound traffic from this box to
those networks.

best regards
Andreas


_________________________________________________________________

Besuchen Sie uns auf der CEBIT 2001, Halle 25, Stand E35.
Wir freuen uns auf Sie!

Visit us at CEBIT 2001, hall 25, stand no. E35.
We looking forward to see you!



This mail was scanned by TrendMicro InterScan Anti-Virus Defense System.

[prev in list] [next in list] [prev in thread] [next in thread]