A bad NIC is one of the other possibilities on my list. I have difficulty imagining a router or switch doing this *only* to a specific client machine.
David Gillett > -----Original Message----- > From: Brian Rectanus [mailto:[EMAIL PROTECTED] > Sent: Friday, February 10, 2006 9:15 PM > To: [email protected] > Subject: Re: Bizarre traffic > > With it cooresponding to network disruptions, similar IPs on > your net and conversations looking normal otherwise, have you > considered it a router/switch corrupting packets? Or even > the a bad NIC in a machine? > > -B > > On 2/9/06, David Gillett <[EMAIL PROTECTED]> wrote: > > Does anybody know of anything (malware, hackware, other?) > that would > > cause a machine to put out traffic with the first octet of the > > destination address (re)set to ZERO? > > > > The traffic I saw all was headed for port 443, and wasn't > > decipherable. The variation in packet size looked like a real > > conversation, although return packets (if any) weren't passing my > > sniffer. The destination addresses, sans the bogus first octet, > > looked like addresses of a couple of real internal servers (source > > address was internal) -- which, however, do not have HTTPS service > > active. > > > > [This traffic correlated with various intermittent disruptions of > > our network, which stopped when the source machine dropped off the > > network. It later reappeared -- and so did a brief > disruption -- long > > enough for me to pinpoint and ban it.] > > > > David Gillett > > > > > > >
