On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjayat_private> said: > Hello, > > These packets were caught using a shadow IDS sensor. I was hoping that > somebody > in the list could help me understand what is happening below. I am familiar > with snort > and tcpdump, as well as the concept of packet fragmentation. I am mostly > interested in > finding out about the DNS requests being made, and why they are coming back > fragmented. Given that they fragged at 1480, I'd suspect you're going through a VPN at some point. You're going to their nameserver to look something up and the replies are gettng fragged on the way. Is your DNS server a secondary for a zone hosted at outside.guy.com? This looks like it might be AXFR traffic. It's hard to tell without knowing what IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant I could tell you more. > 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162 > [1au][|domain] (DF) > 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795: > 56162[|domain] (frag 48818:1480@0+) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 14:11:46 PST