[Snort-users] what are these?

Max Vision vision at ...4...
Tue Oct 3 21:19:16 EDT 2000


I'm not sure why you are seeing these traceroute packets (TTL=1), but I
should clarify that ICMP does not support the concept of "ports" except in
the payload of "port unreachable" packets.

If you find out which application is sending the packets (try tcpview from
winternals, or some api tracer) please let us know - this is pretty odd
traffic.  AFAIK, neither DHCP nor SMB send this type of packet.

?
Max

> ----- Begin Included Message -----
> 
> >From jam at ...561... Tue Oct  3 11:45 PDT 2000
> Date: Tue, 3 Oct 2000 14:45:00 -0400
> 
> ----- Forwarded message from bob leever <bel1 at ...358...> -----
> 
> > Hi
> > 
> > I've been getting a lot of:
> > 
> > [**] Traceroute [**]
> > 10/02-16:56:28.562279 172.18.20.157 -> 172.18.20.255
> > ICMP TTL:1 TOS:0x0 ID:17819 
> > ID:61667   Seq:0  ECHO
> > 6C 92 14 00 00 00 00 00 00 00 00 00 00 00 00 00  l...............
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > 00 00 00 00                                      ....
> > 
> > the 'from address' is a dhcp assigned internal IP address.
> > and it sorta looks like a broadcast.  I think this is happening when
> > someone plug in their P/C that they transport too & from home.
> > 
> > Do wintel systems [9x, NT, ME] normally do a traceroute to .255 on boot?
> > If so, why?  ie What's it looking for?
> > 
> 
> the .255 address is, as you state, considered the broadcast address..
> 
> there are a couple of applications that might be doing something like this..
> one of them is DHCP, the other is the SMB protocol.
> 
> I don't see any indication, from your above data, of the port number, but
> it's early in the morning, and I'm probably reading it wrong ;).. anyway,
> knowing what port number the machine is sending to would go a long way
> towards figuring out *what*'s going on.
> 
> regards,
> J





More information about the Snort-users mailing list