[ale] Weird TCP dump
Chris Ricker
kaboom at gatech.edu
Tue Sep 30 10:53:17 EDT 2003
On Mon, 29 Sep 2003, Michael D. Hirsch wrote:
> anyone recognize this? I'm getting really weird tcpdump logs from a box.
> I've put a representative sample below. Why are things being sent on
> loopback with unusual addresses? What is ip-proto-0? Have I been hacked?
IP Protocol 0 was reserved, but is now used for IPv6
> 15:58:43.165620 127.0.0.197 > 108.122.0.0: ip-proto-0 0 (DF) [tos 0x7,ECT,CE]
FYI, 108/8 is reserved space
Couple of questions:
0. Can you get a complete capture of the payload of one of these?
1. When you say they're being sent on loopback, where did you actually
capture these (meaning, were you tcpdumping lo, or eth0, or what?)
2. Do you have Solaris boxes around?
later,
chris
More information about the Ale
mailing list