[Snort-users] a lot of Loopback traffic being logged.

rod rod at ...11862...
Thu May 27 08:03:10 EDT 2004

We had this for a short while, finally tracked it down to a wormed box
on the other side of the router.  The router was letting src traffic
from through to our public addresses, this has now been
corrected and the traffic has been stopped.

best regards


On Fri, 2004-04-23 at 19:23, Chuck Holley wrote: 
> Did you sniff for packets? Im using tcpdump and I sniffed
for a
> while with this command: tcpdump src -s 1518 -i eth0 -w dump
> Im assuming im doing this right. Im trying to log only packets form
> and log the whole Ethernet packet 1518 on interface eth0 and
> to a file called dump.
> Now, I did this and got two loggings in tcpdump:
> 13:04:11.172652 IP hal2.http > R 0:0(0) ack
> win 0
> 13:04:54.391786 IP hal2.http > R 0:0(0) ack
> win 0
> hal2 is the server that has tcpdump on it. Is this machine one of the
> that is sending out the, or did I simply pickup two packets
> out form hal2 to these other machines. 
> I looked at snort and the exact same ip's, with the exact same ports
> logged coming from
> To say the least im confused even more!!

 I see it on my external interface too. I used tcpdump with -e parameter
to display MAC address of the sender. 

tcpdump -e -i eth1 src host 

I find that MAC address of loopback packets is my ISP's Cisco switch. 

So all packets come from external network (I think). I am connected over
wi-fi AP and when I sniffed, I have seen that these packets coming to 
most connected people in this AP. 

I don't know what it can be. 


More information about the Snort-users mailing list