No subject


Tue Oct 3 14:45:00 EDT 2000


----- Forwarded message from bob leever <bel1 at ...358...> -----

> Hi
> 
> I've been getting a lot of:
> 
> [**] Traceroute [**]
> 10/02-16:56:28.562279 172.18.20.157 -> 172.18.20.255
> ICMP TTL:1 TOS:0x0 ID:17819 
> ID:61667   Seq:0  ECHO
> 6C 92 14 00 00 00 00 00 00 00 00 00 00 00 00 00  l...............
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00                                      ....
> 
> the 'from address' is a dhcp assigned internal IP address.
> and it sorta looks like a broadcast.  I think this is happening when
> someone plug in their P/C that they transport too & from home.
> 
> Do wintel systems [9x, NT, ME] normally do a traceroute to .255 on boot?
> If so, why?  ie What's it looking for?
> 

the .255 address is, as you state, considered the broadcast address..

there are a couple of applications that might be doing something like this..
one of them is DHCP, the other is the SMB protocol.

I don't see any indication, from your above data, of the port number, but
it's early in the morning, and I'm probably reading it wrong ;).. anyway,
knowing what port number the machine is sending to would go a long way
towards figuring out *what*'s going on.

regards,
J
-- 
|| resnet 2000 -- <http://www.resnet.emich.edu/>
|| psa member -- <http://www.python.org/psa/> 



----- End forwarded message -----




More information about the Snort-users mailing list