[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SLUG] Weird packets in tcpdump/ngrep
On Wed, Jun 13, 2001 at 06:23:45PM +1000, Jobst Schmalenbach wrote:
> On Wed, Jun 13, 2001 at 05:45:34PM +1000, Andrew Bennetts (email@example.com) wrote:
> > Off the top of my head, that looks like the product of a traceroute
> > command. Note the very low ttl value, and the high port.
> I should have said that I killed all procs (other httpd/squid etc), shells
> and all and its was still showing, but yet as ps -edf doesnt reveal
> anything (and not traceroute neither).
> On top off that it has to be generated by the box as it doesnt show up
> on the other network card (going towards internal firewall.)
Hmm. Well, it certainly looks like a traceroute packet. From the
-p Set the base UDP port number used in probes
(default is 33434). Traceroute hopes that nothing
is listening on UDP ports base to base + nhops - 1
at the destination host (so an ICMP PORT_UNREACH
ABLE message will be returned to terminate the
route tracing). If something is listening on a
port in the default range, this option can be used
to pick an unused port range.
The packet you showed was a UDP packet with destination port of 33435,
which is consistent with this, as is the ttl of 1. So I'd really expect
that something is doing traceroute. Perhaps rename /usr/sbin/traceroute
and replace it with a script that mails you with info about what's
Of course, if something is doing the traceroute internally without
calling the program, this won't help. In which case, trying a command
such as fuser(1) (with "-n udp") or lsof(8) might help.
Perhaps there is a cron-job that is checking that the network is still
up, or something like that?
Hope this helps.
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug