|
-
April 1st, 2004, 03:36 PM
#11
4 million packets in half an hour could be normal traffic. It all depends on the kind of connection you have and if you were actually using the Internetlink (downloading, browsing, P2P etc) while you were capturing.
The best way of finding something fishy is to stop using the Internetuplink (cutting out your "regular" traffic) and then turn on your sniffer. If you see any traffic then you can start to analyze your capture. That way you don't have to wade through loads of normal traffic to find the packets that are the hostile ones.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 1st, 2004, 04:02 PM
#12
What is your definition of fully blocked?
What packet fileter are you using... you mean a firewall of some sort right?
You say theirs no activity, but there obviously is activity...
Where is 'there'? (the place he keeps the packets in)
I guarantee he cannot manipulate the size of a byte. bytes are always the same size on the inet. 
What do you mean by trigger it?
I do not see your attachment.
if the source and destination IP are not 127.0.0.1 I really don't think the word 'loopback' has anything to do with it. Unless something stupid is using the loopback interface anyways, which I really doubt.
TTL would have very little to do with anything.... At best it could be a misconfiguration in your border router to let packets in with a certain TTL. Even then, all your system would do would be to send an 'expired in transit' error. Not very lethal if you get my point... you probably don't do you?
bootp???? you don't have a bootp server on your network or something do you? nothing else on your network thinks your box is a bootp server do they? is the bootp port showing up in your logs and your frickin out?
=====----------==========------------========
We really do need more information. I don't see any attachment of a capture. You may want to filter for the ones your worried about as has been suggested. I for one, have no desire to look at 4 million or whatever packets. At this point, I along with others don't think theirs anything malicious going on. But we need to see a good capture and we could tell you in just a few minutes. Did you remove the capture? cause I really just don't see it.
- good day
Jon.
-
April 1st, 2004, 06:08 PM
#13
The attachment was one captured ACK packet.
Real security doesn't come with an installer.
-
April 2nd, 2004, 04:22 AM
#14
haha, ooh, scary... course I didn't see it, so I shouldn't say anything.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote