[Snort-users] Strange packet

todb at ...11422... todb at ...11422...
Wed May 12 05:24:04 EDT 2004

> Anyone have an idea of what is this?

> 2004-05-12 11:01:08.707097 IP (tos 0x0, ttl 255, id 9278, offset 0, flags
> [none], length: 576, bad cksum 3560 (->aa84)!) >
> UDP, length: 47794 equals 0xBABABABA, and the 47802 port also equals 0xBABA
-- so it's certainly a mangled packet. The TTL of 255 means that it must
have been generated locally, not to mention the reserved address space of

Use the -e switch (for snort or tcpdump) to get the MAC address of the
sender (assuming that's not getting garbled, too), and track it down that
way. HTH.


More information about the Snort-users mailing list