Unknown/Weird Traffic?

From: gs-list (gs-listat_private)
Date: Sun Jul 14 2002 - 12:56:04 PDT

  • Next message: Joe Matusiewicz: "Frethem.K virus"

    Folks:
    
    I have a question that I cannot seem to answer.  I just set up a firewall 
    box for a wireless network on SuSE 7.1.  I just built a new kernel (2.2.20) 
    and am still having a strange issue.
    
    Apparently, this box, (let's call it "28.100") is not properly interpreting 
    ARP traffic.   When using TETHEREAL to capture traffic, I see this:
    
    28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
    28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
    28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
    28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
    28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
    28.97.0.0 -> 0.0.0.0 IP Fragmented IP protocol (proto=rdp 0x1b, off=18584)
    
    However, at the same time, I monitor the same line from another (identical) 
    machine, running SuSE 7.1 and Kernel 2.2.20, I get:
    
    00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.98?  Tell 
    216.12.28.97
    00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106?  Tell 
    216.12.28.97
    00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106?  Tell 
    216.12.28.97
    00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106?  Tell 
    216.12.28.97
    00:c0:49:13:b8:1b -> ff:ff:ff:ff:ff:ff ARP Who has 216.12.28.106?  Tell 
    216.12.28.97
    
    It appears that in the first example, the machine is not properly 
    interpreting ARP traffic.
    
    Any ideas on how to remedy this situation?
    
    Thanks,
    Gregg Sperling
    glsrms.com administrator
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 08:44:49 PDT