Re: [logs] strange udp packets

From: Alexandre Dulaunoy (alexat_private)
Date: Thu May 23 2002 - 23:34:25 PDT

  • Next message: Rene Pfeiffer: "[logs] Re: apache logging" 

    Seems that a router(?)[10.108.112.1] seems to make bootp broacast
request to download an image from a server. (an OS image or something like
that)

You can see the name of the image in the tcpdump output :

 file "isrrip1bw1.bin"

I suspect you have a VLAN for the internet connectivity? Is it not a
broadcast that will come from an other side of the network? Is there
physical separation ? Maybe from the provider itself? ...

Hope this helps.

adulau


On Wed, 22 May 2002, Bernhardi, Brett wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> 	I've been getting these packets every couple of minutes or so,
> 	and was wondering if someone could explain what is going on to me.
> 	eth0 is my internet-connected interface, with a 66.66.x.y address.
> 	24.92.226.16 is syrcnydhcp03-hme0.nyroc.rr.com.
> 	I have no idea what isrrip1bw1.bin is.
>
> 	thanks in advance for any help..
>
> 	this is what showed up in my log file:
>
> May 22 11:07:01 opiate kernel: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:b0:64:b7:93:54:08:00 SRC=10.108.112.1
> DST=255.255.255.255 LEN=346 TOS=0x00 PREC=0x00 TTL=255 ID=62260
> PROTO=UDP SPT=67 DPT=68 LEN=326
>
> May 22 11:08:05 opiate kernel: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:b0:64:b7:93:54:08:00 SRC=10.108.112.1
> DST=255.255.255.255 LEN=346 TOS=0x00 PREC=0x00 TTL=255 ID=62324
> PROTO=UDP SPT=67 DPT=68 LEN=326
>
> May 22 11:09:09 opiate kernel: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:b0:64:b7:93:54:08:00 SRC=10.108.112.1
> DST=255.255.255.255 LEN=346 TOS=0x00 PREC=0x00 TTL=255 ID=62365
> PROTO=UDP SPT=67 DPT=68 LEN=326
>
>
> 	this is the tcpdump output:
>
> 11:07:01.335182 B 10.108.112.1.bootps > 255.255.255.255.bootpc:
> xid:0x88143c7e Y:10.108.121.141 S:24.92.226.16 G:10.108.112.1 ether
> 0:80:37:ba:2:8b file "isrrip1bw1.bin" vend-rfc1048 T53:2 T54:283270168
> T51:3593013504 SM:255.255.240.0 TZ:3234332671 DG:10.108.112.1
> TS:24.92.226.16 LOG:0.0.0.0
> T67:29545,29298,28777,25137,12663,25134,28265 (ttl 255, id 62260)
>
> 11:08:05.340916 B 10.108.112.1.bootps > 255.255.255.255.bootpc:
> xid:0xbffaf9e4 Y:10.108.121.141 S:24.92.226.16 G:10.108.112.1 ether
> 0:80:37:ba:2:8b file "isrrip1bw1.bin" vend-rfc1048 T53:2 T54:283270168
> T51:2502494464 SM:255.255.240.0 TZ:3234332671 DG:10.108.112.1
> TS:24.92.226.16 LOG:0.0.0.0
> T67:29545,29298,28777,25137,12663,25134,28265 (ttl 255, id 62324)
>
> 11:09:09.366036 B 10.108.112.1.bootps > 255.255.255.255.bootpc:
> xid:0x2baeaa3a Y:10.108.121.141 S:24.92.226.16 G:10.108.112.1 ether
> 0:80:37:ba:2:8b file "isrrip1bw1.bin" vend-rfc1048 T53:2 T54:283270168
> T51:1428752640 SM:255.255.240.0 TZ:3234332671 DG:10.108.112.1
> TS:24.92.226.16 LOG:0.0.0.0
> T67:29545,29298,28777,25137,12663,25134,28265 (ttl 255, id 62365)
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.0.2i
> Comment: You hear maniacal laughter in the distance...
>
> iQA/AwUBPOu9+uB3FYbaQXHDEQJq+wCgzs+VGwwKcPmy5ZkqtXGXDsaIaw4AoNvv
> +OSE1KI6XKo8vv7JuUCXC7R6
> =DZE2
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

    This archive was generated by hypermail 2b30 : Thu May 23 2002 - 23:39:21 PDT