[ale] Weird TCP dump

Michael D. Hirsch mhirsch at nubridges.com
Tue Sep 30 11:45:27 EDT 2003


On Tuesday 30 September 2003 10:52 am, Chris Ricker wrote:
> On Mon, 29 Sep 2003, Michael D. Hirsch wrote:
> > anyone recognize this?  I'm getting really weird tcpdump logs from a box.
> > I've put a representative sample below.  Why are things being sent on
> > loopback with unusual addresses?  What is ip-proto-0?  Have I been
> > hacked?
>
> IP Protocol 0 was reserved, but is now used for IPv6
>
> > 15:58:43.165620 127.0.0.197 > 108.122.0.0:  ip-proto-0 0 (DF) [tos
> > 0x7,ECT,CE]
>
> FYI, 108/8 is reserved space
>
> Couple of questions:
>
> 0. Can you get a complete capture of the payload of one of these?

Probably.  What should I look for?

> 1. When you say they're being sent on loopback, where did you actually
> capture these (meaning, were you tcpdumping lo, or eth0, or what?)

This was a tcpdump of eth0.

> 2. Do you have Solaris boxes around?

I suspect there are Solaris systems on the network, though this dump was on an 
x86 linux box without ipv6.

Thanks,

Michael







More information about the Ale mailing list