Originally posted here by obake_hakkaa
A good analysis TS
Thanks

True, which is the reason it can't be a "internet" scan since no replies from the target will get back to the sender (If they even reach the target in the first place).
I disagree. Under certain circumstances an attacker could have got a sniffer that ftp's logs out of the network onto the public network. Knowing the internal IP of that machine would allow the attacker to test ACL's on routers and firewalls without getting a direct reply.... He just sits back and waits for the logs to be sent to him.

The MAC address will always be the next upstream network device.
That's why i love this place..... I have never been aware of that.... In all my digging and reading it either never came up or the significance never reached into the depths of my brain..... Thank you.....

Have you ever looked at the TTLs of those packets? I would be interested in any other facts you have about them
I have..... there is nothing outstanding about them, the sources appear to vary if the TTL's are not crafted.... I don't worry because I'm not using the 10.x.x.x private subnet inside...<S>

Anyway,I agree with you that because of the sequential sequence of the dest. port numbers
That series is typical of Half-Life/Counterstrike..... I play rather more Counterstrike than I should probably admit to....<s>