> [14:38:13|6/7]55.52.0.2.1 > gsb04-0-1.gw.ualberta.ca.2 F (ttl > 4,len 49320,id > 5632,tos 1,ack:0)win 29702,chks: 26469 > [18:04:25]253.216.8.218.65535 > 161.186.96.18.10065 S (ttl > 16,len 49320,id > 3584,tos 94,ack:0)win 8192,chks: 52182 > [18:04:29]255.113.8.218.65535 > 163.195.80.16.15213 F (ttl > 16,len 49320,id > 3584,tos 94,ack:1)win 8353,chks: 6860 I don't know the answer to your question, but the packets are interesting. Looks like complete BS packets but I don't know the whole context of them. Target addresses at well-known large orgs remind me of the primary spoofed sources on the win 55808 possible covert channel traffic. Have you found any outbound win 55808 traffic from your net? I'd guess spoofed and crafted, plus source routed or from your own network. Probably the same true source (or at least the same tool) for all packets. Sport 65535 and tos 94 in common on two listed packets, goofy win and huge len 49320 common to all. Are checksums valid? Contents may provide a clue about the purpose. Can you post a complete capture of any of these packets? Do MAC sources and dests match your understanding of the packets' direction? Do you have a full session capture to any of the target addresses? Even full headers might be helpful. ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 11:55:28 PDT