Strange tcpdump file

From: Lindsay (lmf1tat_private)
Date: Sat Oct 20 2001 - 13:05:56 PDT

  • Next message: Jay D. Dyson: "Scans for SSHd via RIPE netblocks, anyone?"

    In the several years I've been using tcpdump to capture interesting
    packets, the filter
    "not ( ip proto icmp or ip proto tcp or ip proto udp )"
    had never logged anything. Until I found the following "packet" capture:
    
    http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log
    
    Ethereal version 0.8.20 shows that the packet has IP header length of 0.
    Interestingly, the capture is 1460 bytes in length (less than the
    1500-byte snap length), and it just so happens that stepping into the
    zero-length header (!) shows the packet-length field to be 0x05b4 or
    1460. It seems that tcpdump (version 3.4) / libpcap (version 0.4)
    interprets (some) IP header fields even though the header length is
    zero.
    
    I've tried to replicate the packet by revisiting the web sites I had
    visited just before the anomalous packet, but no luck. Snort was silent,
    as was ipchains. Has anybody an idea of what this is? I don't see how it
    could possibly be routed, so I tend to think ...  just a hiccough, noise
    on the line, whatever....
    
    Lindsay
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 08:27:21 PDT