At 08:18 PM 8/18/03, Kostas K wrote: >Hi list, > >I captured activity with snort and i can't think of what is it? Does >anybody know. > >08/19-00:42:39.063639 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800 >len:0x2A >194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:44416 IpLen:20 >DgmLen:28 >11 64 EE 9B 00 00 00 00 .d...... Looks like a multicast packet. Protocol 2 is igmp which is a multicast routing protocol and 224. is the the start of the multicast address space. If this is an inbound packet into your network, I'm not sure how it got there. If it's outbound, someone may be playing with multicasting. Hope this helps.... -- Joe --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 20:52:50 PDT