Security Incidents mailing list archives
Re: BAD TRAFFIC 0 ttl
From: Will Tell <nosphie () rootshell be>
Date: 23 Aug 2002 19:45:15 -0000
In-Reply-To: <20020823131552.871DE3951 () sitemail everyone net> Hey Seren, looks like you have the tcpdump file of the happening. In this case u should look not for the IPs but for the MAC. I had a case like this and all the IPs had the same MAC. So take for exemple "ettercap" in file offline mode and sniff only in MAC mode. Might be that clear up something. Will Tell <20020823131552.871DE3951 () sitemail everyone net>
Hello all, I've had this same pattern of traffic appear inside my
network on four different occasions and I've found no answer as to what it is, I'm hoping someone here has seen something similar.
This always happens over the midnight hour. The only
things that vary are the length of time and number of different destination IPs. The destinations are always #.0.1.15. The source is usually 218 or 65.0.1.0, but always #.0.1.0. The packet data is always the same.
Samples follow. Any thoughts are greatly appreciated. Thanks!
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- BAD TRAFFIC 0 ttl seren geti (Aug 23)
- Re: BAD TRAFFIC 0 ttl Kurt Seifried (Aug 23)
- Re: BAD TRAFFIC 0 ttl Jason Dixon (Aug 23)
- <Possible follow-ups>
- Re: BAD TRAFFIC 0 ttl Will Tell (Aug 23)