[OT] tcpdump

gbell72 gbell72-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Thu Sep 18 17:52:11 UTC 2003 

Afternoon
I've not used this group in quite a while but have yet to receive any
replies to this question on some of the forums I use.  Over the past week
or longer I've been noticing high firewall traffic from ip's that belong
to verio.net.  They to be mostly intrested in my windows machine at this
moment.  In all the person has been using about 7 different ip's:
165.254.12.101/102.202, etc.  Here is what I've noticed using tcpdump on
port 80.

12:56:22.053052
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 >
165.254.12.101.http: S 152256065:152256065(0) win 8192 <mss
1460,nop,nop,sackOK> (DF)
 12:56:22.089174 165.254.12.101.http >
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242: S
4259504041:4259504041(0) ack 152256066 win 65535 <mss 1460,nop,nop,sackOK>
(DF)
 12:56:22.089562
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 >
165.254.12.101.http: . ack 1 win 8760 (DF)
 12:56:22.090183
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 >
165.254.12.101.http: P 1:280(279) ack 1 win 8760 (DF)

 12:56:22.780155
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 >
165.254.12.101.http: S 152256793:152256793(0) win 8192 <mss
1460,nop,nop,sackOK> (DF)
 12:56:22.789197 poppit03.pogo.com.http >
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3244: P
1116:1303(187) ack 1166 win 24820 (DF)
 12:56:22.820501 165.254.12.101.http >
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245: S
4268719919:4268719919(0) ack 152256794 win 65535 <mss 1460,nop,nop,sackOK>
(DF)
 12:56:22.820904
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 >
165.254.12.101.http: . ack 1 win 8760 (DF)
 12:56:22.821503
CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 >
165.254.12.101.http: P 1:280(279) ack 1 win 8760 (DF)

I've googled keywords <mss 1460,nop,nop,sackok> and have noticed that some
people have respinded that it's a possible worm.  From viewing my logs I
see nothing to be overly concerned about just more so curious as to what
this person or persons are up to.

TIA

gbell


 13:46:31 up 4 days, 22:44,  1 user,  load average: 0.03, 0.02, 0.00
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list