Re: interesting multicast packet
I used Little Snitch for a while on my device but too intrusive, let's rather use pfctl ;-) On 21/03/14 15:21, "Jeroen Massar" wrote: >On 2014-03-21 08:54, Eric Vyncke (evyncke) wrote: >> And Stig, if you are using our 'employer-paid' laptop sold by Cupertino, >> then, you are also sending those packets... I discovered this 'feat' >>last >> week when sniffing traffic from my own laptop... >> >> The use of organization-scope multicast is nice but the ::2 is indeed >> awkward > >This can be the day that you learn to install Little Snitch on the >iFruit device and disable even the standard-local-network-rules ;) > >Greets, > Jeroen >
Re: interesting multicast packet
On 2014-03-21 08:54, Eric Vyncke (evyncke) wrote: > And Stig, if you are using our 'employer-paid' laptop sold by Cupertino, > then, you are also sending those packets... I discovered this 'feat' last > week when sniffing traffic from my own laptop... > > The use of organization-scope multicast is nice but the ::2 is indeed > awkward This can be the day that you learn to install Little Snitch on the iFruit device and disable even the standard-local-network-rules ;) Greets, Jeroen
Re: interesting multicast packet
And Stig, if you are using our 'employer-paid' laptop sold by Cupertino, then, you are also sending those packets... I discovered this 'feat' last week when sniffing traffic from my own laptop... The use of organization-scope multicast is nice but the ::2 is indeed awkward -éric On 20/03/14 23:22, "Stig Venaas" wrote: >Hi > >On 2/27/2014 8:16 AM, Gert Doering wrote: >> Hi, >> >> On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote: >>> I suggest using Microsoft Network Monitor >>> (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to >>>identify >>> the processing sending out that traffic. >> >> We did. It says "unknown"... >> >> But I think Daniel's find is spot-on, as >> >> >>https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/ >> >> shows the string we saw in the packet (click on "static analysis" -> >> "strings" -> "RELARELAY_RESPONDRELA"), a "McAffee Framework Service" is >> indeed installed and that "seems to be a known side effect" - though >> nobody seems to have observed this on IPv6 yet... > >Sorry for this late reply, but it doesn't make much sense that it is >sent to the all routers address. > >Stig > >> Gert Doering >> -- NetMaster >> >
Re: interesting multicast packet
Hi, On Thu, Mar 20, 2014 at 03:22:54PM -0700, Stig Venaas wrote: > Sorry for this late reply, but it doesn't make much sense that it is > sent to the all routers address. It's an antivirus software. Why do you expect things to make sense? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: interesting multicast packet
On Thu, Mar 20, 2014 at 03:22:54PM -0700, Stig Venaas wrote: > Sorry for this late reply, but it doesn't make much sense that it is > sent to the all routers address. It's not. There is the well-known ff02::2 "all routers on local segment" multicast address, but ff08::2 (::2 in the well-known organization-local scope ff08::/16 range) ain't officially assigned: http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml#ipv6-multicast-addresses-4 This looks like abuse of the well-known range, using unassigned ::2 Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
Re: interesting multicast packet
Hi On 2/27/2014 8:16 AM, Gert Doering wrote: Hi, On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote: I suggest using Microsoft Network Monitor (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify the processing sending out that traffic. We did. It says "unknown"... But I think Daniel's find is spot-on, as https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/ shows the string we saw in the packet (click on "static analysis" -> "strings" -> "RELARELAY_RESPONDRELA"), a "McAffee Framework Service" is indeed installed and that "seems to be a known side effect" - though nobody seems to have observed this on IPv6 yet... Sorry for this late reply, but it doesn't make much sense that it is sent to the all routers address. Stig Gert Doering -- NetMaster
Re: interesting multicast packet
Hi, On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote: > I suggest using Microsoft Network Monitor > (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify > the processing sending out that traffic. We did. It says "unknown"... But I think Daniel's find is spot-on, as https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/ shows the string we saw in the packet (click on "static analysis" -> "strings" -> "RELARELAY_RESPONDRELA"), a "McAffee Framework Service" is indeed installed and that "seems to be a known side effect" - though nobody seems to have observed this on IPv6 yet... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 pgpk1po1jEHQU.pgp Description: PGP signature
RE: interesting multicast packet
I suggest using Microsoft Network Monitor (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify the processing sending out that traffic. Frank -Original Message- From: ipv6-ops-bounces+frnkblk=iname@lists.cluenet.de [mailto:ipv6-ops-bounces+frnkblk=iname@lists.cluenet.de] On Behalf Of Gert Doering Sent: Tuesday, February 25, 2014 4:08 AM To: ipv6-ops@lists.cluenet.de Subject: interesting multicast packet Hi, my google-fu is failing me, but maybe one of you knows. After some troubleshooting around a Juniper SSG cluster today, we found that a windows server on the trust side of the SSG cluster is emitting UDP packets towards ff08::2.8083 (UDP, payload length 21) ff08::2 = "all routers, organization-scoped" These packets are sent about every 61 minutes, and caused some interesting issues here as the *passive* SSG leaked them out towards the router, leading to "the NSRP MAC address showing up on the wrong switch port", causing short hickups. But that's not what I'm wondering about - I'm more curious about that sort of packet - what is that? What is it used for? Which process is emitting it, and what is it trying to achieve? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: interesting multicast packet
On Tue, Feb 25, 2014 at 11:55:48AM +0100, Gert Doering wrote: > 11:46:47.456845 00:10:db:ff:20:60 > 00:d0:01:f3:6c:00, ethertype IPv6 > (0x86dd), > +length 83: 2001:608:xxx:xx::yyy.62029 > ff08::2.8083: UDP, length 21 > 0x: 6000 001d 117f 2001 0608 0xxx 00xx `... > 0x0010: 0yyy ff08 > 0x0020: 0002 f24d 1f93 001d 62ef .Mb. > 0x0030: 5245 4c41 5245 4c41 595f 5245 5350 4f4e RELARELAY_RESPON > 0x0040: 4452 454c 41 DRELA McAfee Agent looking for a McAfee Relay Server? https://community.mcafee.com/thread/56766 https://kc.mcafee.com/corporate/index?page=content&id=KB52569 Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
Re: interesting multicast packet
Hi, On Tue, Feb 25, 2014 at 11:07:34AM +0100, Gert Doering wrote: > After some troubleshooting around a Juniper SSG cluster today, we found > that a windows server on the trust side of the SSG cluster is emitting > UDP packets towards > > ff08::2.8083 (UDP, payload length 21) > > ff08::2 = "all routers, organization-scoped" Here's a hexdump of the packet... source IPv6 address mangled, source MAC is the netscreen NSRP vMAC, dest address is the default router. 11:46:47.456845 00:10:db:ff:20:60 > 00:d0:01:f3:6c:00, ethertype IPv6 (0x86dd), +length 83: 2001:608:xxx:xx::yyy.62029 > ff08::2.8083: UDP, length 21 0x: 6000 001d 117f 2001 0608 0xxx 00xx `... 0x0010: 0yyy ff08 0x0020: 0002 f24d 1f93 001d 62ef .Mb. 0x0030: 5245 4c41 5245 4c41 595f 5245 5350 4f4e RELARELAY_RESPON 0x0040: 4452 454c 41 DRELA still doesn't ring any bell... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: interesting multicast packet
Hi, On Tue, Feb 25, 2014 at 11:13:31AM +0100, Mikael Abrahamsson wrote: > On Tue, 25 Feb 2014, Gert Doering wrote: > > > ff08::2.8083 (UDP, payload length 21) > > > > But that's not what I'm wondering about - I'm more curious about that > > sort of packet - what is that? What is it used for? Which process is > > emitting it, and what is it trying to achieve? > > http://www.adminsub.net/tcp-udp-port-finder/8083 > > Port: 8083/UDP8083/UDP - Known port assignments (3 records found) > ServiceDetailsSourceus-srvUtilistor (Server)IANA EMC2 (Legato) > Networker or Sun Solcitice Backup (Official)WIKI > QuickTime Streaming ServerApple Yeah, that I did google :-) - but it didn't really ring a bell. > Does the windows machine run legato networker och similar backup service? Nothing of that sort. It's an internal management system, so "something with netapp or vcenter" would be possible. Backup is done with DPM, so it's not that... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 pgpiYeMU_e4If.pgp Description: PGP signature
Re: interesting multicast packet
On Tue, 25 Feb 2014, Gert Doering wrote: ff08::2.8083 (UDP, payload length 21) But that's not what I'm wondering about - I'm more curious about that sort of packet - what is that? What is it used for? Which process is emitting it, and what is it trying to achieve? http://www.adminsub.net/tcp-udp-port-finder/8083 Port: 8083/UDP8083/UDP - Known port assignments (3 records found) ServiceDetailsSourceus-srvUtilistor (Server)IANA EMC2 (Legato) Networker or Sun Solcitice Backup (Official)WIKI QuickTime Streaming ServerApple Does the windows machine run legato networker och similar backup service? -- Mikael Abrahamssonemail: swm...@swm.pp.se