[Snort-users] a lot of Loopback traffic being logged.

rod rod at ...11862...
Thu May 27 08:03:10 EDT 2004


We had this for a short while, finally tracked it down to a wormed box
on the other side of the router.  The router was letting src traffic
from 127.0.0.1 through to our public addresses, this has now been
corrected and the traffic has been stopped.

best regards

Rod
________________________________________________________________________

On Fri, 2004-04-23 at 19:23, Chuck Holley wrote: 
> Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed
for a
> while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump
> 
> Im assuming im doing this right. Im trying to log only packets form
> 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and
write
> to a file called dump.
> 
> Now, I did this and got two loggings in tcpdump:
> 
> 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack
799408129
> win 0
> 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack
1316880385
> win 0
> 
> hal2 is the server that has tcpdump on it. Is this machine one of the
boxes
> that is sending out the 127.0.0.1, or did I simply pickup two packets
sent
> out form hal2 to these other machines. 
> 
> I looked at snort and the exact same ip's, with the exact same ports
were
> logged coming from 127.0.0.1
> 
> To say the least im confused even more!!
> 
> 


Hi, 
 I see it on my external interface too. I used tcpdump with -e parameter
to display MAC address of the sender. 


tcpdump -e -i eth1 src host 127.0.0.1 


I find that MAC address of loopback packets is my ISP's Cisco switch. 


So all packets come from external network (I think). I am connected over
wi-fi AP and when I sniffed, I have seen that these packets coming to 
most connected people in this AP. 


I don't know what it can be. 


Regards,






More information about the Snort-users mailing list