In the several years I've been using tcpdump to capture interesting packets, the filter "not ( ip proto icmp or ip proto tcp or ip proto udp )" had never logged anything. Until I found the following "packet" capture: http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log Ethereal version 0.8.20 shows that the packet has IP header length of 0. Interestingly, the capture is 1460 bytes in length (less than the 1500-byte snap length), and it just so happens that stepping into the zero-length header (!) shows the packet-length field to be 0x05b4 or 1460. It seems that tcpdump (version 3.4) / libpcap (version 0.4) interprets (some) IP header fields even though the header length is zero. I've tried to replicate the packet by revisiting the web sites I had visited just before the anomalous packet, but no luck. Snort was silent, as was ipchains. Has anybody an idea of what this is? I don't see how it could possibly be routed, so I tend to think ... just a hiccough, noise on the line, whatever.... Lindsay ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 08:27:21 PDT