Re: strange packets

[max <max () neuropunks org>]

224.0.0.0-239.255.255.255 are multicast addresses. That machine is
probably somehow misconfigured and is trying to talk to a multicast group,
to be more precise, is trying to join a multicast group. Might be a
software issue, if that machine is running something like cuseeme (or any
other real time conferencing software) software, that could explain it.

On Mon, 25 Jun 2001, Jason R. Seats wrote:

> I also posted on the ids list last week-
>
> I recently came across several packets resembling this while tcpdumping.
>
> 14:35:10.076207 0:50:8b:f0:13:15 1:0:5e:1:2:3 ip 116: 192.168.50.46.402
> > 225.1.2.3.402:  udp 74
>                          4500 0066 07df 0000 2011 bccd c0a8 322e
>                          e101 0203 0192 0192 0052 efee 5265 7175
>                          6573 743d 4765 7453 6572 7665 720a 4d41
>                          432d 4164 6472 6573 733d 3030 3530 3842
>                          4630 3133 3135 0a41 6464 6c2d 4d41 432d
>                          4164 6472 6573 733d 3030 3530 3842 4630
>                          3133 3135 0a00
>
> All the packets were 192.168.50.*:402 -> 225.1.2.3:402 
> and when decoding the contents they are carrying:
>
> > Request=GetServer
> > MAC-Address=00508BF01315
> > Addl-MAC-Address=00508BF01315
>
> If you notice, that is the MAC of the 192. machine that sent the
> packet.  There were no responses from the 225. addy, but several packets
> like this sent.
>
> Look familiar to anyone?
>
> Thanks in advance.
> -- 
> Jason Seats
> Information Security Software Engineer
> TechGuard Security
> jason.seats () techguardsecurity com
> www.techguardsecurity.com
> 636-519-4848


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com