[ale] Weird TCP dump
Chris Ricker
kaboom at gatech.edu
Tue Sep 30 12:00:00 EDT 2003
On Tue, 30 Sep 2003, Michael D. Hirsch wrote:
> Probably. What should I look for?
I'm not sure ;-). The actual payload would be good, just to see what the
traffic is. Mapping the source MAC address to a machine on the network would
be good too (though it might be spoofed)
> > 1. When you say they're being sent on loopback, where did you actually
> > capture these (meaning, were you tcpdumping lo, or eth0, or what?)
>
> This was a tcpdump of eth0.
Okay. It could be spoofed, but it might be legitimate (like, for example,
Solaris doing its thing). That's why the packet capture might help
> > 2. Do you have Solaris boxes around?
>
> I suspect there are Solaris systems on the network, though this dump was on an
> x86 linux box without ipv6.
Sun boxes have a default route to loopback for 127.0.0.1/32 only, rather
than 127/8 like, say, Linux does, so sometimes when you see weird 127/8
addresses in packets on your network, it's just a sign that you need to
adjust the routes on the Sun boxes. Here the 127/8 address was the source
and not the destination if I remember right, though....
later,
chris
More information about the Ale
mailing list