[Snort-users] Win98 on reboot

Max Vision vision at ...4...
Mon Mar 12 01:06:08 EST 2001


224.0.0.0 is multicast.  There are some special address groups that are
addressable this way.  224.0.0.1 is all-hosts.mcast.net, 224.0.0.2 is
all-routers.mcast.net.

If you had any multicast-enabled equipment on your subnet they would
respond to ping requests (ping 224.0.0.1 for hosts, 2 for routers)

http://www.isi.edu/in-notes/iana/assignments/multicast-addresses

I couldn't find a specific reference to win98, but here is a microsoft
explanation for NT:
http://www.microsoft.com/TechNet/network/uniclpr.asp#h

Max

On Sun, 11 Mar 2001, Lance Spitzner wrote:

> Rebooted Win98 desktop on my network, snort captured and
> alerted to the following.  What is my Win98 desktop trying
> to do? No packet payload in the ICMP packets :-0
>
> [**] ICMP Router Selection [**]
> 03/11-22:51:40.761942 192.168.1.100 -> 224.0.0.2
> ICMP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:28
> Type:10  Code:0  UNKNOWN
>
> [**] ICMP Router Selection [**]
> 03/11-22:51:43.769400 192.168.1.100 -> 224.0.0.2
> ICMP TTL:128 TOS:0x0 ID:1792 IpLen:20 DgmLen:28
> Type:10  Code:0  UNKNOWN
>
> [**] ICMP Router Selection [**]
> 03/11-22:51:46.788874 192.168.1.100 -> 224.0.0.2
> ICMP TTL:128 TOS:0x0 ID:3584 IpLen:20 DgmLen:28
> Type:10  Code:0  UNKNOWN
>
> --
> Lance Spitzner
> http://project.honeynet.org





More information about the Snort-users mailing list