> http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log > > Ethereal version 0.8.20 shows that the packet has IP header length of 0. If you trace a busy link, it turns out you see busted stuff like this every day. For example, the Bro intrusion detection system, which I run operationally at lbl.gov, observes truncated packets, illegal TCP acknowledgements and retransmissions, benign splitting of TCP headers across different IP fragments, etc. See the discussion of "The Problem of Crud" in the Bro paper: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz - Vern ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 21:12:00 PDT