You have two different source ip addresses here. Are they on the same box? The
source port differs, but at least the ip id is equal. Strange - a
coincidence? Your ACL log even showes a third source port. Btw, I think there
is no need for camouflaging rfc1918 addresses...
> I am now capturing the traffic again, though there is nothing in it.
For a packet size of 78 you have up to 50 bytes of payload (depending on the
presence of ip options). So what means 'nothing in it'? A full packet
capture, for instance tcpdump's hex output, would help. Maybe in addition to
creating a local alias with an address of 100.100.100.1 and netcatting the
connection.
Tillmann
------------------------------------------------------------------------
------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
> UDP: 137 -> 137
> eth1c0:O[78]: 68.163.87.34 -> 100.100.100.1 (UDP) len=78 id=13167
> UDP: 49902 -> 137
You have two different source ip addresses here. Are they on the same box? The
source port differs, but at least the ip id is equal. Strange - a
coincidence? Your ACL log even showes a third source port. Btw, I think there
is no need for camouflaging rfc1918 addresses...
> I am now capturing the traffic again, though there is nothing in it.
For a packet size of 78 you have up to 50 bytes of payload (depending on the
presence of ip options). So what means 'nothing in it'? A full packet
capture, for instance tcpdump's hex output, would help. Maybe in addition to
creating a local alias with an address of 100.100.100.1 and netcatting the
connection.
Tillmann
------------------------------------------------------------------------
------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------
------
[ reply ]