[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SLUG] Weird packets in tcpdump/ngrep



On Wed, Jun 13, 2001 at 06:23:45PM +1000, Jobst Schmalenbach wrote:
> On Wed, Jun 13, 2001 at 05:45:34PM +1000, Andrew Bennetts (andrew@nospam.puzzling.org) wrote:
> > Off the top of my head, that looks like the product of a traceroute
> > command.  Note the very low ttl value, and the high port.
> 
> I should have said that I killed all procs (other httpd/squid etc), shells
> and all and its was still showing, but yet as ps -edf doesnt reveal
> anything (and not traceroute neither).
> 
> On top off that it has to be generated by the box as it doesnt show up
> on the other network card (going towards internal firewall.)

Hmm.  Well, it certainly looks like a traceroute packet.  From the
traceroute(8) manpage:
       -p     Set  the  base  UDP  port  number  used  in  probes
              (default  is 33434).  Traceroute hopes that nothing
              is listening on UDP ports base to base + nhops -  1
              at  the  destination host (so an ICMP PORT_UNREACH­
              ABLE message will  be  returned  to  terminate  the
              route  tracing).   If  something  is listening on a
              port in the default range, this option can be  used
              to pick an unused port range.

The packet you showed was a UDP packet with destination port of 33435,
which is consistent with this, as is the ttl of 1.  So I'd really expect
that something is doing traceroute.  Perhaps rename /usr/sbin/traceroute
and replace it with a script that mails you with info about what's
calling it?

Of course, if something is doing the traceroute internally without
calling the program, this won't help.  In which case, trying a command
such as fuser(1) (with "-n udp") or lsof(8) might help.

Perhaps there is a cron-job that is checking that the network is still
up, or something like that?

Hope this helps.

-Andrew.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug