[Snort-users] Strange packet

todb at ...11422... todb at ...11422...
Wed May 12 05:24:04 EDT 2004


> Anyone have an idea of what is this?

> 2004-05-12 11:01:08.707097 IP (tos 0x0, ttl 255, id 9278, offset 0, flags
> [none], length: 576, bad cksum 3560 (->aa84)!) 186.186.186.186.47802 >
> 186.186.186.186.47802: UDP, length: 47794

186.186.186.186 equals 0xBABABABA, and the 47802 port also equals 0xBABA
-- so it's certainly a mangled packet. The TTL of 255 means that it must
have been generated locally, not to mention the reserved address space of
186/8.

Use the -e switch (for snort or tcpdump) to get the MAC address of the
sender (assuming that's not getting garbled, too), and track it down that
way. HTH.

-- 
Tod





More information about the Snort-users mailing list