Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: wired traffic

from [David Gillett] Network Security [Permanent Link]
Subject: RE: wired traffic
Date: Mon, 30 Jan 2006 15:42:55 -0800 
  When I've seen bad checksums reported, it has been in one
of two cases:

1.  Captured packets were truncated to save disk space.  (I
  don't think this applies.)

2.  Source or destination address was spoofed, by code that
  changed those bytes AFTER the sender's checksum was calculated.

  So perhaps these packets are not really coming from your router?

David Gillett



-----Original Message-----
From: fowl8510@unco.edu [mailto:fowl8510@unco.edu] 
Sent: Monday, January 30, 2006 9:09 AM
To: incidents@securityfocus.com
Subject: Re: wired traffic

Sorry, I should've given a little more information.  
192.168.1.1 is a linksys router.  Here's the command and the 
output.  I don't understand this traffic, but what confuses 
me even more is that the router is sending packets with bad 
checksums...

sanctus:~ adam$ sudo tcpdump -i en2 -e -n -vvv -xx not host 
192.168.1.100
tcpdump: listening on en2, link-type EN10MB (Ethernet), 
capture size 96 bytes
09:17:05.367722 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4711, offset 0, flags [none], length: 41) 192.168.1.1.5700 > 
0.0.0.0.0: . [bad tcp cksum 61da (->89e6)!] 0:1(1) ack 0 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 1267 0000 9606 50bf c0a8 0101 0000  
.).g....P.......
        0x0020:  0000 1644 0000 0000 0000 0000 0000 5010  
...D..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:05.368290 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4712, offset 0, flags [none], length: 41) 192.168.1.1.1119 > 
0.0.0.0.0: . [bad tcp cksum 61da (->9bcb)!] 0:1(1) ack 0 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 1268 0000 9606 50be c0a8 0101 0000  
.).h....P.......
        0x0020:  0000 045f 0000 0000 0000 0000 0000 5010  
..._..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:05.368926 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4714, offset 0, flags [none], length: 41) 192.168.1.1.1122 > 
0.0.0.0.0: . [bad tcp cksum 61da (->9bc8)!] 0:1(1) ack 0 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 126a 0000 9606 50bc c0a8 0101 0000  
.).j....P.......
        0x0020:  0000 0462 0000 0000 0000 0000 0000 5010  
...b..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:05.369587 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4716, offset 0, flags [none], length: 41) 192.168.1.1.1126 > 
0.0.0.0.0: . [bad tcp cksum 61da (->9bc4)!] 0:1(1) ack 0 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 126c 0000 9606 50ba c0a8 0101 0000  
.).l....P.......
        0x0020:  0000 0466 0000 0000 0000 0000 0000 5010  
...f..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:05.370277 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4718, offset 0, flags [none], length: 41) 192.168.1.1.1129 > 
0.0.0.0.0: . [bad tcp cksum 61da (->9bc1)!] 0:1(1) ack 0 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 126e 0000 9606 50b8 c0a8 0101 0000  
.).n....P.......
        0x0020:  0000 0469 0000 0000 0000 0000 0000 5010  
...i..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:05.371108 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4720, offset 0, flags [none], length: 41) 192.168.1.1.1132 > 
0.0.0.0.0: . [bad tcp cksum 61da (->9bbe)!] 0:1(1) ack 0 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 1270 0000 9606 50b6 c0a8 0101 0000  
.).p....P.......
        0x0020:  0000 046c 0000 0000 0000 0000 0000 5010  
...l..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:05.371707 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4723, offset 0, flags [none], length: 41) 192.168.1.1.1137 > 
0.0.0.0.0: . [bad tcp cksum 61da (->9bb9)!] 0:1(1) ack 0 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 1273 0000 9606 50b3 c0a8 0101 0000  
.).s....P.......
        0x0020:  0000 0471 0000 0000 0000 0000 0000 5010  
...q..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:06.413277 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4724, offset 0, flags [none], length: 41) 192.168.1.1.5700 > 
0.0.0.0.0: . [bad tcp cksum 61da (->89e6)!] 0:1(1) ack 1 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 1274 0000 9606 50b2 c0a8 0101 0000  
.).t....P.......
        0x0020:  0000 1644 0000 0000 0000 0000 0000 5010  
...D..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
09:17:06.414029 00:0f:66:a7:b8:4b > ff:ff:ff:ff:ff:ff, 
ethertype IPv4 (0x0800), length 55: IP (tos 0x0, ttl 150, id 
4725, offset 0, flags [none], length: 41) 192.168.1.1.1119 > 
0.0.0.0.0: . [bad tcp cksum 61da (->9bcb)!] 0:1(1) ack 1 win 0
        0x0000:  ffff ffff ffff 000f 66a7 b84b 0800 4500  
........f..K..E.
        0x0010:  0029 1275 0000 9606 50b1 c0a8 0101 0000  
.).u....P.......
        0x0020:  0000 045f 0000 0000 0000 0000 0000 5010  
..._..........P.
        0x0030:  0000 61da 0000 4e                        ..a...N
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Decrease in Threats?, Gene Rackow
Next by Date:  Re: wired traffic, Bob Radvanovsky
Previous by Thread:  Re: wired traffic, fowl8510
Next by Thread:  Re: wired traffic, ramez . hanna
Indexes:  [Date] [Thread] [Top] [All Lists]