Re: interesting multicast packet
I used Little Snitch for a while on my device but too intrusive, let's rather use pfctl ;-) On 21/03/14 15:21, Jeroen Massar jer...@massar.ch wrote: On 2014-03-21 08:54, Eric Vyncke (evyncke) wrote: And Stig, if you are using our 'employer-paid' laptop sold by Cupertino, then, you are also sending those packets... I discovered this 'feat' last week when sniffing traffic from my own laptop... The use of organization-scope multicast is nice but the ::2 is indeed awkward This can be the day that you learn to install Little Snitch on the iFruit device and disable even the standard-local-network-rules ;) Greets, Jeroen
Re: interesting multicast packet
Hi, On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote: I suggest using Microsoft Network Monitor (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify the processing sending out that traffic. We did. It says unknown... But I think Daniel's find is spot-on, as https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/ shows the string we saw in the packet (click on static analysis - strings - RELARELAY_RESPONDRELA), a McAffee Framework Service is indeed installed and that seems to be a known side effect - though nobody seems to have observed this on IPv6 yet... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 pgpk1po1jEHQU.pgp Description: PGP signature
interesting multicast packet
Hi, my google-fu is failing me, but maybe one of you knows. After some troubleshooting around a Juniper SSG cluster today, we found that a windows server on the trust side of the SSG cluster is emitting UDP packets towards ff08::2.8083 (UDP, payload length 21) ff08::2 = all routers, organization-scoped These packets are sent about every 61 minutes, and caused some interesting issues here as the *passive* SSG leaked them out towards the router, leading to the NSRP MAC address showing up on the wrong switch port, causing short hickups. But that's not what I'm wondering about - I'm more curious about that sort of packet - what is that? What is it used for? Which process is emitting it, and what is it trying to achieve? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: interesting multicast packet
Hi, On Tue, Feb 25, 2014 at 11:13:31AM +0100, Mikael Abrahamsson wrote: On Tue, 25 Feb 2014, Gert Doering wrote: ff08::2.8083 (UDP, payload length 21) But that's not what I'm wondering about - I'm more curious about that sort of packet - what is that? What is it used for? Which process is emitting it, and what is it trying to achieve? http://www.adminsub.net/tcp-udp-port-finder/8083 Port: 8083/UDP8083/UDP - Known port assignments (3 records found) ServiceDetailsSourceus-srvUtilistor (Server)IANA EMC2 (Legato) Networker or Sun Solcitice Backup (Official)WIKI QuickTime Streaming ServerApple Yeah, that I did google :-) - but it didn't really ring a bell. Does the windows machine run legato networker och similar backup service? Nothing of that sort. It's an internal management system, so something with netapp or vcenter would be possible. Backup is done with DPM, so it's not that... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 pgpiYeMU_e4If.pgp Description: PGP signature