Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

TCP protocol decimal type 210
From: dale at puredistortion.com (Dale Stirling)
Date: Tue, 23 Jun 2009 09:01:05 +1000

Sorry I have not been very clear.

Jim is correct it is the protocol type that I am talking about and not the
port that is where the traffic is. Also the traffic is all inbound to the
server.

I am yet to catch the traffic in a packet capture as the client noticed
usage and all I had as a space of data history was our Netflow data so I
have pulled apart this as much as I can and found this traffic running with
the IP protocol type defined as 210.

Since my first email i did a comparison using flow-nfilter and flow-stat on
the Netflow data that we have and found that there were an identical amount
of packets between this data and UDP type traffic. also all of the traffic
is on one port. The flow-stat
summaries are bellow.

IP protocol type report:

#  --- ---- ---- Report Information --- --- ---
#
# Fields:    Total
# Symbols:   Disabled
# Sorting:   Descending Field 3
# Name:      IP protocol
#
# Args:      flow-stat -f12 -S3
#
#
# protocol  flows                 octets                packets
#
210        1                     3832009226           1864449664
17          1                     828887562             1864449664

UDP traffic by port report:

#  --- ---- ---- Report Information --- --- ---
#
# Fields:    Total
# Symbols:   Disabled
# Sorting:   Descending Field 3
# Name:      UDP/TCP destination port
#
# Args:      flow-stat -f5 -S3
#
#
# port      flows                 octets                packets
#
56602       1                     828887562             1864449664

That is the update I know it would be best to have pcap of the data but at
this time I have been unable to see this occuring again and have monitoring
on my Netflow data to notify me of this traffic occuring again.

Also I have checked the process tree and also log file looking for events of
interest, but at this time I have not been able to fine any Events of
Interest or processes that do not bellong.

Any advice would be great? I amy just have to fire wall it with our clients
permission and see what happens?

Dale


Which I looking on

On Mon, Jun 22, 2009 at 8:26 PM, Jim Halfpenny <jim.halfpenny at gmail.com>wrote:

I looked at this first, but then thought that Dale was referring to the IP
protocol type defined the the IP packet header and not the 210/8 IPv4
network. Perhaps Dale can clarify?

Jim

2009/6/22 Michael McGrew <mmcgrew1 at mail.csuchico.edu>

210. seems allocated to me.
http://www.iana.org/assignments/ipv4-address-space/ lists it as
allocated. Proven by some nmap pings,
nmap -sP -vvvv 210.214.208.0/24

Host segment-210-214-208-249.maa.sify.net (210.214.208.249) is up
(0.27s latency).
Host segment-210-214-208-250.maa.sify.net (210.214.208.250) is up
(0.27s latency).

So there are some boxes out there on 210. If you don't mind, what is
the full IP? Can you do some more research and find out what port it's
using? Or run some tcpdump against it.


On Sun, Jun 21, 2009 at 10:33 PM, Dale Stirling<dale at puredistortion.com>
wrote:
Hi All,

I have a box that is routinely using in excess of 4GB a day in traffic
in
from the internet.

I have identified that the traffic is coming to the box via an IP
Protocol
number I have never seen before: 210.

I have done some searching on the Internet and have only been able to
find
that this number is in the unassigned block of protocol numbers with
IANA. I
am stuck so I thought I would through it out to the smartest group of
people
I know the PDC Mailing (I heard flatery works well) list to see if any
one
has seen this before.

Cheers,
Dale

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090623/71699b50/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]