Re: Strange tcpdump file

From: vernat_private
Date: Mon Oct 22 2001 - 20:47:19 PDT

  • Next message: Tom Gallagher: "RE: Unknown requests from IE 5"

    > http://www.cstone.net/~lmf1t/anom_logs/bogusIP.log
    > 
    > Ethereal version 0.8.20 shows that the packet has IP header length of 0.
    
    If you trace a busy link, it turns out you see busted stuff like this
    every day.  For example, the Bro intrusion detection system, which I run
    operationally at lbl.gov, observes truncated packets, illegal TCP
    acknowledgements and retransmissions, benign splitting of TCP headers
    across different IP fragments, etc.  See the discussion of "The Problem
    of Crud" in the Bro paper:
    
    	ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
    
    - Vern
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 21:12:00 PDT