From: Will Tell (nosphieat_private)
Date: Fri Aug 23 2002 - 12:45:15 PDT

  • Next message: Thomas Cannon: "Re: looking for what? portscan 15000/tcp"

     ('binary' encoding is not supported, stored as-is)
    In-Reply-To: <20020823131552.871DE3951at_private>
    Hey Seren,
    looks like you have the tcpdump file of the happening.
    In this case u should look not for the IPs but for the MAC.
    I had a case like this and all the IPs had the same MAC.
    So take for exemple "ettercap" in file offline mode and
    sniff only in MAC mode.
    Might be that clear up something.
    Will Tell
    >Hello all,
    >I've had this same pattern of traffic appear inside my
    network on four different occasions and I've found no
    answer as to what it is, I'm hoping someone here has
    seen something similar.
    >This always happens over the midnight hour.  The only
    things that vary are the length of time and number of
    different destination IPs.  The destinations are always
    #.0.1.15.  The source is usually 218 or, but
    always #.0.1.0.   The packet data is always the same.
    >Samples follow.  Any thoughts are greatly appreciated.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 12:59:39 PDT