======================================================== UDP Payload Analysis of UDP packets with source port 770 (Initial Findings) Author: Byrne Ghavalas Date : 01 March 2002 ======================================================== Believe UDP Payload provides details for the response packet, and carries the 'command / exploit' in the final packet during an exchange. Requires further investigation. Initial findings indicate that this is some form of DDoS or Worm that attacks UDP 138 (NBDatagram Server). RAW PACKET: 0000 ff ff ff ff ff ff aa 00 04 00 3e 28 08 00 45 00 ..........>(..E. 0010 00 38 68 68 00 00 80 11 6f 7a ac 16 0a a6 ac 16 .8hh....oz...... 0020 ff ff 03 02 cc 03 00 00 00 00 45 00 00 38 68 67 ..........E..8hg 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a a6 03 02 ................ 0040 92 73 00 00 00 00 .s.... Notes: 1. Numbered the offsets from 1 - 16 2. Packet is an IP packet sniffed from Ethernet Network (Ethernet II Encapsulation) 0020:11 --> Same as IP Header Length (0000:15) Value: 0x45 (20 bytes) Use : IP Header length for response packet 0020:12 --> Same as IP Differentiated Services Field (0000:16) Value: 0x00 Use : Differentiated Services Field for response packet 0020:13-14 --> Same as IP Total Length (0010:1-2) Value: 56 Use : IP Total Length for response packet 0020:15-16 --> One less than IP Identification (0010:3-4) Value: 0x6867 Use : IP identification for response packet 0030:1-2 --> Same as IP Fragment Offset (0010:5-6) Value: 0 Use : Fragment Offset for response packet 0030:3 --> Same as IP TTL (0010:7) Value: 128 Use : IP TTL for response packet 0030:4 --> Same as IP Protocol (0010:8) Value: UDP (0x11) Use : IP Protocol for response packet 0030:5-6 --> Always the same value Value: 0x0b00 Use : Unknown 0030:7-10 --> Same as IP Destination (0010:15-16,0020:1-2) Value: 172.22.255.255 Use : Source Address for response packet 0030:11-14 --> Same as IP Source (0010:11-14) Value: 172.22.10.166 Use : Destination Address for response packet 0030:15-16 --> Same as UDP Source Port (0020:3-4) Value: 770 Use : Source Port of response packet. Always has a value of 138 (NBDatagram Server) for the final packet of the exchange. 0040:1-2 --> Destination Port Value: 37491 Use : Destination port for response packet. Increased by 1 each time except for final packet of the exchange which always has a value of 138 (NBDatagram Server). 0040:3-6 --> Unknown Value: 0 (except for last packet which changes) Use : Unknown - Possibly the command? In the Exchange, there are always 5 pairs of packets. The final packet of the Exchange will always have 0040:1-2 --> 00 8a (138). This is the NetBios Datagram Server on MS machines. Suspect DoS attack against port 138. ======================================================== Sample of Packets from Original Capture Frames 105-114 and 125-133 ======================================================== Frame 105 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621106000 Time delta from previous packet: 0.265430000 seconds Time relative to first packet: 36.011174000 seconds Frame Number: 105 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.166 (172.22.10.166), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6868 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f7a (correct) Source: 172.22.10.166 (172.22.10.166) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 52227 (52227) Source port: 770 (770) Destination port: 52227 (52227) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 3e 28 08 00 45 00 ..........>(..E. 0010 00 38 68 68 00 00 80 11 6f 7a ac 16 0a a6 ac 16 .8hh....oz...... 0020 ff ff 03 02 cc 03 00 00 00 00 45 00 00 38 68 67 ..........E..8hg 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a a6 03 02 ................ 0040 92 73 00 00 00 00 .s.... ======================================================== Frame 106 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621113000 Time delta from previous packet: 0.000007000 seconds Time relative to first packet: 36.011181000 seconds Frame Number: 106 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.166 (172.22.10.166) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6867 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f7b (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.166 (172.22.10.166) User Datagram Protocol, Src Port: 770 (770), Dst Port: 37491 (37491) Source port: 770 (770) Destination port: 37491 (37491) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 3e 28 ff ff ff ff ff ff 08 00 45 00 ....>(........E. 0010 00 38 68 67 00 00 80 11 6f 7b ac 16 ff ff ac 16 .8hg....o{...... 0020 0a a6 03 02 92 73 00 00 00 00 45 00 00 38 68 66 .....s....E..8hf 0030 00 00 80 11 0b 00 ac 16 0a a6 ac 16 ff ff 03 02 ................ 0040 cc 04 00 00 00 00 ...... ======================================================== Frame 107 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621116000 Time delta from previous packet: 0.000003000 seconds Time relative to first packet: 36.011184000 seconds Frame Number: 107 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.166 (172.22.10.166), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6866 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f7c (correct) Source: 172.22.10.166 (172.22.10.166) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 52228 (52228) Source port: 770 (770) Destination port: 52228 (52228) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 3e 28 08 00 45 00 ..........>(..E. 0010 00 38 68 66 00 00 80 11 6f 7c ac 16 0a a6 ac 16 .8hf....o|...... 0020 ff ff 03 02 cc 04 00 00 00 00 45 00 00 38 68 65 ..........E..8he 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a a6 03 02 ................ 0040 92 74 00 00 00 00 .t.... ======================================================== Frame 108 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621124000 Time delta from previous packet: 0.000008000 seconds Time relative to first packet: 36.011192000 seconds Frame Number: 108 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.166 (172.22.10.166) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6865 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f7d (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.166 (172.22.10.166) User Datagram Protocol, Src Port: 770 (770), Dst Port: 37492 (37492) Source port: 770 (770) Destination port: 37492 (37492) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 3e 28 ff ff ff ff ff ff 08 00 45 00 ....>(........E. 0010 00 38 68 65 00 00 80 11 6f 7d ac 16 ff ff ac 16 .8he....o}...... 0020 0a a6 03 02 92 74 00 00 00 00 45 00 00 38 68 64 .....t....E..8hd 0030 00 00 80 11 0b 00 ac 16 0a a6 ac 16 ff ff 03 02 ................ 0040 cc 05 00 00 00 00 ...... ======================================================== Frame 109 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621153000 Time delta from previous packet: 0.000029000 seconds Time relative to first packet: 36.011221000 seconds Frame Number: 109 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.166 (172.22.10.166), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6864 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f7e (correct) Source: 172.22.10.166 (172.22.10.166) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 52229 (52229) Source port: 770 (770) Destination port: 52229 (52229) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 3e 28 08 00 45 00 ..........>(..E. 0010 00 38 68 64 00 00 80 11 6f 7e ac 16 0a a6 ac 16 .8hd....o~...... 0020 ff ff 03 02 cc 05 00 00 00 00 45 00 00 38 68 63 ..........E..8hc 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a a6 03 02 ................ 0040 92 75 00 00 00 00 .u.... ======================================================== Frame 110 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621158000 Time delta from previous packet: 0.000005000 seconds Time relative to first packet: 36.011226000 seconds Frame Number: 110 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.166 (172.22.10.166) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6863 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f7f (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.166 (172.22.10.166) User Datagram Protocol, Src Port: 770 (770), Dst Port: 37493 (37493) Source port: 770 (770) Destination port: 37493 (37493) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 3e 28 ff ff ff ff ff ff 08 00 45 00 ....>(........E. 0010 00 38 68 63 00 00 80 11 6f 7f ac 16 ff ff ac 16 .8hc....o....... 0020 0a a6 03 02 92 75 00 00 00 00 45 00 00 38 68 62 .....u....E..8hb 0030 00 00 80 11 0b 00 ac 16 0a a6 ac 16 ff ff 03 02 ................ 0040 cc 06 00 00 00 00 ...... ======================================================== Frame 111 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621162000 Time delta from previous packet: 0.000004000 seconds Time relative to first packet: 36.011230000 seconds Frame Number: 111 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.166 (172.22.10.166), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6862 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f80 (correct) Source: 172.22.10.166 (172.22.10.166) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 52230 (52230) Source port: 770 (770) Destination port: 52230 (52230) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 3e 28 08 00 45 00 ..........>(..E. 0010 00 38 68 62 00 00 80 11 6f 80 ac 16 0a a6 ac 16 .8hb....o....... 0020 ff ff 03 02 cc 06 00 00 00 00 45 00 00 38 68 61 ..........E..8ha 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a a6 03 02 ................ 0040 92 76 00 00 00 00 .v.... ======================================================== Frame 112 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621172000 Time delta from previous packet: 0.000010000 seconds Time relative to first packet: 36.011240000 seconds Frame Number: 112 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.166 (172.22.10.166) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6861 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f81 (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.166 (172.22.10.166) User Datagram Protocol, Src Port: 770 (770), Dst Port: 37494 (37494) Source port: 770 (770) Destination port: 37494 (37494) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 3e 28 ff ff ff ff ff ff 08 00 45 00 ....>(........E. 0010 00 38 68 61 00 00 80 11 6f 81 ac 16 ff ff ac 16 .8ha....o....... 0020 0a a6 03 02 92 76 00 00 00 00 45 00 00 38 68 60 .....v....E..8h` 0030 00 00 80 11 0b 00 ac 16 0a a6 ac 16 ff ff 03 02 ................ 0040 cc 07 00 00 00 00 ...... ======================================================== Frame 113 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621176000 Time delta from previous packet: 0.000004000 seconds Time relative to first packet: 36.011244000 seconds Frame Number: 113 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.166 (172.22.10.166), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x6860 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f82 (correct) Source: 172.22.10.166 (172.22.10.166) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 52231 (52231) Source port: 770 (770) Destination port: 52231 (52231) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 3e 28 08 00 45 00 ..........>(..E. 0010 00 38 68 60 00 00 80 11 6f 82 ac 16 0a a6 ac 16 .8h`....o....... 0020 ff ff 03 02 cc 07 00 00 00 00 45 00 00 38 68 5f ..........E..8h_ 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a a6 03 02 ................ 0040 92 77 00 00 00 00 .w.... ======================================================== Frame 114 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:44.621180000 Time delta from previous packet: 0.000004000 seconds Time relative to first packet: 36.011248000 seconds Frame Number: 114 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:3e:28 (aa:00:04:00:3e:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.166 (172.22.10.166) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x685f Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x6f83 (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.166 (172.22.10.166) User Datagram Protocol, Src Port: 770 (770), Dst Port: 37495 (37495) Source port: 770 (770) Destination port: 37495 (37495) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 3e 28 ff ff ff ff ff ff 08 00 45 00 ....>(........E. 0010 00 38 68 5f 00 00 80 11 6f 83 ac 16 ff ff ac 16 .8h_....o....... 0020 0a a6 03 02 92 77 00 00 00 00 45 00 01 0f 68 5e .....w....E...h^ 0030 00 00 80 11 0b 00 ac 16 0a a6 ac 16 ff ff 00 8a ................ 0040 00 8a 00 fb cc 24 .....$ ======================================================== Next Session - Frames 125-133 ======================================================== Frame 125 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369462000 Time delta from previous packet: 0.514082000 seconds Time relative to first packet: 36.759530000 seconds Frame Number: 125 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:43:28 (aa:00:04:00:43:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.180 (172.22.10.180), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x3952 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e82 (correct) Source: 172.22.10.180 (172.22.10.180) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 50664 (50664) Source port: 770 (770) Destination port: 50664 (50664) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 43 28 08 00 45 00 ..........C(..E. 0010 00 38 39 52 00 00 80 11 9e 82 ac 16 0a b4 ac 16 .89R............ 0020 ff ff 03 02 c5 e8 00 00 00 00 45 00 00 38 39 51 ..........E..89Q 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a b4 03 02 ................ 0040 c7 96 00 00 00 00 ...... ======================================================== Frame 126 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369468000 Time delta from previous packet: 0.000006000 seconds Time relative to first packet: 36.759536000 seconds Frame Number: 126 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:43:28 (aa:00:04:00:43:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.180 (172.22.10.180) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x3951 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e83 (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.180 (172.22.10.180) User Datagram Protocol, Src Port: 770 (770), Dst Port: 51094 (51094) Source port: 770 (770) Destination port: 51094 (51094) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 43 28 ff ff ff ff ff ff 08 00 45 00 ....C(........E. 0010 00 38 39 51 00 00 80 11 9e 83 ac 16 ff ff ac 16 .89Q............ 0020 0a b4 03 02 c7 96 00 00 00 00 45 00 00 38 39 50 ..........E..89P 0030 00 00 80 11 0b 00 ac 16 0a b4 ac 16 ff ff 03 02 ................ 0040 c5 e9 00 00 00 00 ...... ======================================================== Frame 127 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369477000 Time delta from previous packet: 0.000009000 seconds Time relative to first packet: 36.759545000 seconds Frame Number: 127 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:43:28 (aa:00:04:00:43:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.180 (172.22.10.180), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x3950 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e84 (correct) Source: 172.22.10.180 (172.22.10.180) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 50665 (50665) Source port: 770 (770) Destination port: 50665 (50665) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 43 28 08 00 45 00 ..........C(..E. 0010 00 38 39 50 00 00 80 11 9e 84 ac 16 0a b4 ac 16 .89P............ 0020 ff ff 03 02 c5 e9 00 00 00 00 45 00 00 38 39 4f ..........E..89O 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a b4 03 02 ................ 0040 c7 97 00 00 00 00 ...... ======================================================== Frame 128 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369482000 Time delta from previous packet: 0.000005000 seconds Time relative to first packet: 36.759550000 seconds Frame Number: 128 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:43:28 (aa:00:04:00:43:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.180 (172.22.10.180) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x394f Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e85 (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.180 (172.22.10.180) User Datagram Protocol, Src Port: 770 (770), Dst Port: 51095 (51095) Source port: 770 (770) Destination port: 51095 (51095) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 43 28 ff ff ff ff ff ff 08 00 45 00 ....C(........E. 0010 00 38 39 4f 00 00 80 11 9e 85 ac 16 ff ff ac 16 .89O............ 0020 0a b4 03 02 c7 97 00 00 00 00 45 00 00 38 39 4e ..........E..89N 0030 00 00 80 11 0b 00 ac 16 0a b4 ac 16 ff ff 03 02 ................ 0040 c5 ea 00 00 00 00 ...... ======================================================== Frame 129 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369512000 Time delta from previous packet: 0.000030000 seconds Time relative to first packet: 36.759580000 seconds Frame Number: 129 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:43:28 (aa:00:04:00:43:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.180 (172.22.10.180), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x394e Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e86 (correct) Source: 172.22.10.180 (172.22.10.180) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 50666 (50666) Source port: 770 (770) Destination port: 50666 (50666) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 43 28 08 00 45 00 ..........C(..E. 0010 00 38 39 4e 00 00 80 11 9e 86 ac 16 0a b4 ac 16 .89N............ 0020 ff ff 03 02 c5 ea 00 00 00 00 45 00 00 38 39 4d ..........E..89M 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a b4 03 02 ................ 0040 c7 98 00 00 00 00 ...... ======================================================== Frame 130 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369517000 Time delta from previous packet: 0.000005000 seconds Time relative to first packet: 36.759585000 seconds Frame Number: 130 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:43:28 (aa:00:04:00:43:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.180 (172.22.10.180) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x394d Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e87 (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.180 (172.22.10.180) User Datagram Protocol, Src Port: 770 (770), Dst Port: 51096 (51096) Source port: 770 (770) Destination port: 51096 (51096) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 43 28 ff ff ff ff ff ff 08 00 45 00 ....C(........E. 0010 00 38 39 4d 00 00 80 11 9e 87 ac 16 ff ff ac 16 .89M............ 0020 0a b4 03 02 c7 98 00 00 00 00 45 00 00 38 39 4c ..........E..89L 0030 00 00 80 11 0b 00 ac 16 0a b4 ac 16 ff ff 03 02 ................ 0040 c5 eb 00 00 00 00 ...... ======================================================== Frame 131 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369521000 Time delta from previous packet: 0.000004000 seconds Time relative to first packet: 36.759589000 seconds Frame Number: 131 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:43:28 (aa:00:04:00:43:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.180 (172.22.10.180), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x394c Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e88 (correct) Source: 172.22.10.180 (172.22.10.180) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 50667 (50667) Source port: 770 (770) Destination port: 50667 (50667) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 43 28 08 00 45 00 ..........C(..E. 0010 00 38 39 4c 00 00 80 11 9e 88 ac 16 0a b4 ac 16 .89L............ 0020 ff ff 03 02 c5 eb 00 00 00 00 45 00 00 38 39 4b ..........E..89K 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a b4 03 02 ................ 0040 c7 99 00 00 00 00 ...... ======================================================== Frame 132 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369525000 Time delta from previous packet: 0.000004000 seconds Time relative to first packet: 36.759593000 seconds Frame Number: 132 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:43:28 (aa:00:04:00:43:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.180 (172.22.10.180) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x394b Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e89 (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.180 (172.22.10.180) User Datagram Protocol, Src Port: 770 (770), Dst Port: 51097 (51097) Source port: 770 (770) Destination port: 51097 (51097) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 43 28 ff ff ff ff ff ff 08 00 45 00 ....C(........E. 0010 00 38 39 4b 00 00 80 11 9e 89 ac 16 ff ff ac 16 .89K............ 0020 0a b4 03 02 c7 99 00 00 00 00 45 00 00 38 39 4a ..........E..89J 0030 00 00 80 11 0b 00 ac 16 0a b4 ac 16 ff ff 03 02 ................ 0040 c5 ec 00 00 00 00 ...... ======================================================== Frame 133 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369532000 Time delta from previous packet: 0.000007000 seconds Time relative to first packet: 36.759600000 seconds Frame Number: 133 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: aa:00:04:00:43:28 (aa:00:04:00:43:28) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.10.180 (172.22.10.180), Dst Addr: 172.22.255.255 (172.22.255.255) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x394a Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e8a (correct) Source: 172.22.10.180 (172.22.10.180) Destination: 172.22.255.255 (172.22.255.255) User Datagram Protocol, Src Port: 770 (770), Dst Port: 50668 (50668) Source port: 770 (770) Destination port: 50668 (50668) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 ff ff ff ff ff ff aa 00 04 00 43 28 08 00 45 00 ..........C(..E. 0010 00 38 39 4a 00 00 80 11 9e 8a ac 16 0a b4 ac 16 .89J............ 0020 ff ff 03 02 c5 ec 00 00 00 00 45 00 00 38 39 49 ..........E..89I 0030 00 00 80 11 0b 00 ac 16 ff ff ac 16 0a b4 03 02 ................ 0040 c7 9a 00 00 00 00 ...... ======================================================== Frame 134 (70 on wire, 70 captured) Arrival Time: Feb 20, 2002 12:51:45.369537000 Time delta from previous packet: 0.000005000 seconds Time relative to first packet: 36.759605000 seconds Frame Number: 134 Packet Length: 70 bytes Capture Length: 70 bytes Ethernet II Destination: aa:00:04:00:43:28 (aa:00:04:00:43:28) Source: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Type: IP (0x0800) Internet Protocol, Src Addr: 172.22.255.255 (172.22.255.255), Dst Addr: 172.22.10.180 (172.22.10.180) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 56 Identification: 0x3949 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x9e8b (correct) Source: 172.22.255.255 (172.22.255.255) Destination: 172.22.10.180 (172.22.10.180) User Datagram Protocol, Src Port: 770 (770), Dst Port: 51098 (51098) Source port: 770 (770) Destination port: 51098 (51098) Length: 0 Checksum: 0x0000 (none) Data (28 bytes) 0000 aa 00 04 00 43 28 ff ff ff ff ff ff 08 00 45 00 ....C(........E. 0010 00 38 39 49 00 00 80 11 9e 8b ac 16 ff ff ac 16 .89I............ 0020 0a b4 03 02 c7 9a 00 00 00 00 45 00 01 06 39 48 ..........E...9H 0030 00 00 80 11 0b 00 ac 16 0a b4 ac 16 ff ff 00 8a ................ 0040 00 8a 00 f2 c6 1b ...... ======================================================== End of Sample ========================================================