[tcpdump-workers] Extra bytes appended to datagrams - request for help???

DND CIRT Mon, 14 May 2001 17:57:33 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I have noticed that numerous packet captures have extra data in them,
above and beyond the IP header reported length of the datagram.  This
extra data often breaks out into legible ASCII, including traffic
that would normally be seen via web surfing, DNS, FTP, SMTP etc etc
etc.

There are lots of examples, with a few detailed below.

I am not a coder so I can't help on that level, but am curious if
anyone has an idea of what is causing this.  I have seen correlation
on the Internet from other log postings with the same kind of data
appended.

I am running Slackware 7.0 with libpcap 0.6.2, precompiled and copied
over to another Slackware box.

00:18:23.264554 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
205.199.193.5.35898 > 192.168.250.213.113: R [tcp sum ok
] 3669711745:3669711745(0) win 8760 (DF) (ttl 241, id 5100, len 40)
0x0000    4500 0028 13ec 4000 f106 68b7 cdc7 c105        
E..([email protected].....
0x0010    XXXX fad5 8c3a 0071 dabb 5b81 0000 0000        
.....:.q..[.....
0x0020    5004 2238 bd93 0000 5243 5054 2054             
P."8....RCPT.T

00:19:43.974877 0:3:fe:d5:1c:70 0:4:28:c:98:0 0800 60:
192.168.250.213.38536 > 24.2.9.89.113: F [tcp sum ok] 11
:11(0) ack 1 win 8760 (DF) (ttl 252, id 19222, len 40)
0x0000    4500 0028 4b16 4000 fc06 93ff XXXX fad5        
E..(K.@.........
0x0010    1802 0959 9688 0071 ca7f e1ec cce8 d9f6        
...Y...q........
0x0020    5011 2238 039c 0000 0377 7777 0568             
P."8.....www.h

00:21:11.586514 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
24.226.1.11.59678 > 192.168.250.218.113: R [tcp sum ok] 
3181041205:3181041205(0) win 64240 (DF) (ttl 248, id 16488, len 40)
0x0000    4500 0028 4068 4000 f806 aa16 18e2 010b        
E..(@h@.........
0x0010    XXXX fada e91e 0071 bd9a d635 0000 0000        
.......q...5....
0x0020    5004 faf0 9f3e 0000 026e 7306 6472             
P....>...ns.dr

00:22:07.067609 0:3:fe:d5:1c:70 0:4:28:c:98:0 0800 60:
192.168.250.218.51658 > 216.33.156.139.113: R [tcp sum o
k] 3086955405:3086955405(0) win 8760 (DF) (ttl 252, id 64856, len 40)
0x0000    4500 0028 fd58 4000 fc06 8e65 XXXX fada        
E..([email protected]....
0x0010    d821 9c8b c9ca 0071 b7ff 338d 0000 0000        
.!.....q..3.....
0x0020    5004 2238 e4ce 0000 5155 4954 0d0a             
P."8....QUIT..

00:25:13.698743 0:3:fe:d5:1c:70 0:4:28:c:98:0 0800 60:
192.168.250.213.38740 > 216.32.241.14.113: R [tcp sum ok
] 3453904791:3453904791(0) win 8760 (DF) (ttl 252, id 27984, len 40)
0x0000    4500 0028 6d50 4000 fc06 c9f0 XXXX fad5        
E..(mP@.........
0x0010    d820 f10e 9754 0071 cdde 6797 0000 0000        
.....T.q..g.....
0x0020    5004 2238 78de 0000 4745 5420 2f49             
P."8x...GET./I

00:27:10.096893 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
207.8.186.26.35608 > 192.168.250.213.113: R [tcp sum ok]
 2584523527:2584523527(0) win 24820 (DF) (ttl 46, id 25702, len 40)
0x0000    4500 0028 6466 4000 2e06 e0e7 cf08 ba1a        
E..(df@.........
0x0010    XXXX fad5 8b18 0071 9a0c b307 0000 0000        
.......q........
0x0020    5004 60f4 6ecc 0000 5041 5353 2041             
P.`.n...PASS.A

00:00:02.568811 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
206.172.185.158.1070 > 192.168.250.10.80: R [tcp sum ok]
 215848:215848(0) win 0 (ttl 118, id 60930, len 40)
0x0000    4500 0028 ee02 0000 7606 50ee ceac b99e        
E..(....v.P.....
0x0010    XXXX fa0a 042e 0050 0003 4b28 0003 4b28        
.......P..K(..K(
0x0020    5004 0000 0f2d 0000 4548 4c4f 2069             
P....-..EHLO.i

00:00:02.617798 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
195.101.94.208.29026 > 192.168.250.10.80: F [tcp sum ok]
 1698767802:1698767802(0) ack 321528886 win 32120 (DF) (ttl 45, id
30938, len 40)
0x0000    4500 0028 78da 4000 2d06 352c c365 5ed0        
E..([email protected],.e^.
0x0010    XXXX fa0a 7162 0050 6541 23ba 132a 2436        
....qb.PeA#..*$6
0x0020    5011 7d78 6083 0000 5243 5054 2054             
P.}x`...RCPT.T

00:00:04.731487 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
206.172.185.158.1071 > 192.168.250.10.80: R [tcp sum ok]
 217543:217543(0) win 0 (ttl 118, id 259, len 40)
0x0000    4500 0028 0103 0000 7606 3dee ceac b99e        
E..(....v.=.....
0x0010    XXXX fa0a 042f 0050 0003 51c7 0003 51c7        
...../.P..Q...Q.
0x0020    5004 0000 01ee 0000 4d41 494c 2046             
P.......MAIL.F

00:00:07.133534 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
206.172.185.158.1073 > 192.168.250.10.80: R [tcp sum ok]
 221032:221032(0) win 0 (ttl 118, id 3843, len 40)
0x0000    4500 0028 0f03 0000 7606 2fee ceac b99e        
E..(....v./.....
0x0010    XXXX fa0a 0431 0050 0003 5f68 0003 5f68        
.....1.P.._h.._h
0x0020    5004 0000 e6a9 0000 3235 3020 6f6b             
P.......250.ok

00:00:13.442000 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
202.152.5.40.30187 > 192.168.21.94.16031: R [tcp sum ok]
 0:0(0) ack 350509684 win 0 (ttl 239, id 11889, len 40)
0x0000    4500 0028 2e71 0000 ef06 34b7 ca98 0528        
E..(.q....4....(
0x0010    XXXX 155e 75eb 3e9f 0000 0000 14e4 5a74        
...^u.>.......Zt
0x0020    5014 0000 2346 0000 2043 4b41 4141             
P...#F...CKAAA

00:00:13.955636 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
206.172.185.158.1075 > 192.168.250.210.80: F [tcp sum ok
] 1:1(0) ack 0 win 8474 (DF) (ttl 118, id 17667, len 40)
0x0000    4500 0028 4503 4000 7606 b925 ceac b99e        
E..([email protected]..%....
0x0010    XXXX fad2 0433 0050 0003 743f 2098 68a5        
.....3.P..t?..h.
0x0020    5011 211a 860f 0000 0667 6f70 6c61             
P.!......gopla

00:00:14.940654 0:3:fe:d5:1c:70 0:4:28:c:98:0 0800 60:
192.168.114.223.1125 > 209.58.63.177.80: R [tcp sum ok] 
448132:448132(0) win 0 (ttl 125, id 27397, len 40)
0x0000    4500 0028 6b05 0000 7d06 cb76 XXXX 72df        
E..(k...}..v..r.
0x0010    d13a 3fb1 0465 0050 0006 d684 0000 0000        
.:?..e.P........
0x0020    5004 0000 cd4c 0000 2043 4b41 4141             
P....L...CKAAA

00:00:15.876158 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
24.112.149.49.1287 > 192.168.250.10.80: F [tcp sum ok] 4
227258059:4227258059(0) ack 321520139 win 17288 (DF) (ttl 112, id
49050, len 40)
0x0000    4500 0028 bf9a 4000 7006 2000 1870 9531        
E..([email protected]
0x0010    XXXX fa0a 0507 0050 fbf6 d6cb 132a 020b        
.......P.....*..
0x0020    5011 4388 53c7 0000 8c6e 7332 0565             
P.C.S....ns2.e

00:00:16.031585 0:3:fe:d5:1c:70 0:4:28:c:98:0 0800 60:
192.168.250.10.80 > 24.112.149.49.1323: F [tcp sum ok] 3
21520019:321520019(0) ack 4230149886 win 8624 (DF) (ttl 125, id
61874, len 40)
0x0000    4500 0028 f1b2 4000 7d06 e0e7 XXXX fa0a        
E..(..@.}.......
0x0010    1870 9531 0050 052b 132a 0193 fc22 f6fe        
.p.1.P.+.*..."..
0x0020    5011 21b0 5594 0000 0473 6d74 7003             
P.!.U....smtp.

00:00:16.060857 0:3:fe:d5:1c:70 0:4:28:c:98:0 0800 60:
192.168.250.12.80 > 24.2.9.37.4594: F [tcp sum ok] 32151
9672:321519672(0) ack 833102617 win 8259 (DF) (ttl 125, id 63666, len
40)
0x0000    4500 0028 f8b2 4000 7d06 6660 XXXX fa0c        
E..(..@.}.f`....
0x0010    1802 0925 0050 11f2 132a 0038 31a8 2319        
...%.P...*.81.#.
0x0020    5011 2043 766e 0000 0473 6d74 7003             
P..Cvn...smtp.

00:00:16.062570 0:3:fe:d5:1c:70 0:4:28:c:98:0 0800 60:
192.168.250.12.80 > 24.2.9.37.4596: F [tcp sum ok] 32151
9224:321519224(0) ack 833296221 win 8255 (DF) (ttl 125, id 64434, len
40)
0x0000    4500 0028 fbb2 4000 7d06 6360 XXXX fa0c        
E..(..@.}.c`....
0x0010    1802 0925 0050 11f4 1329 fe78 31ab 175d        
...%.P...).x1..]
0x0020    5011 203f 83e9 0000 0473 6d74 7003             
P..?.....smtp.

00:00:16.140309 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60: 24.2.9.37.4594
> 192.168.250.12.80: F [tcp sum ok] 1:1(0
) ack 1 win 49152 (DF) (ttl 44, id 41319, len 40)
0x0000    4500 0028 a167 4000 2c06 0eac 1802 0925        
E..(.g@.,......%
0x0010    XXXX fa0c 11f2 0050 31a8 2319 132a 0039        
.......P1.#..*.9
0x0020    5011 c000 d6af 0000 0473 6d74 7003             
P........smtp.

00:00:28.019594 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
206.186.189.178.3189 > 192.168.250.10.80: R [tcp sum ok]
 13756662:13756662(0) win 0 (DF) (ttl 120, id 15308, len 40)
0x0000    4500 0028 3bcc 4000 7806 bd02 ceba bdb2        
E..(;[email protected].......
0x0010    XXXX fa0a 0c75 0050 00d1 e8f6 5afe b0c2        
.....u.P....Z...
0x0020    5004 0000 a391 0000 4548 4c4f 2073             
P.......EHLO.s

00:00:30.488158 0:4:28:c:98:0 0:3:fe:d5:1c:70 0800 60:
198.165.121.6.2035 > 192.168.84.35.21: R [tcp sum ok] 30
11372135:3011372135(0) win 0 (DF) (ttl 113, id 34089, len 40)
0x0000    4500 0028 8529 4000 7106 6d4e c6a5 7906        
E..(.)@.q.mN..y.
0x0010    XXXX 5423 07f3 0015 b37d e467 11aa 4dda        
..T#.....}.g..M.
0x0020    5004 0000 9916 0000 2f62 6f64 793e             
P......./body>

Regards,
C.J. French
Leading Seaman
DND CIRT Analyst - Intrusion Detection Systems
Canadian Dept. National Defence Computer Incident Response Team
Tel: (613) 945-0142 Fax: (613) 945-6407
North American toll free: 1-877-DND-CIRT
DND CIRT PGP Key Fingerprint: 30F6 2333 F9FA C64F E7ED  DB27 495E
D4E1 F56C B67C
Personal PGP Key Fingerprint: D249 B844 A0AB 8BFA FA4B  4B65 4AF7
0ABA DC43 A0C1

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOv/9mUle1OH1bLZ8EQIZvgCg8aObEXw/RBlXOdCCCkCnHlgzwAMAoJHK
gePg/13gNxv1I8hBOCYm/tGK
=u+aI
-----END PGP SIGNATURE-----


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
[tcpdump-workers] Extra bytes appended to datagrams - request for help???

Reply via email to
