Several people requested raw sniffer data. When I installed a
sniffer as close to the target as possible and started capturing
everything, instead of just the first 256 bytes of data, the
sniffer started logging about 2 megabytes per minutes.
Sometimes very interesting stuff shows up. See corresponding
CERT advisories about sniffer attacks.
To those who already asked me for sniffer code or how to set up
sniffers: I am a righteous dawg appointed by Gwad and the Church
of the Dead Meow to sniff and learn. Gwad didn't tell me to
teach young crimmo's so I simply delete your mail.
Others: Please don't tell me these guys are trying to just send
mail. They just happened to be hitting port 25 at that time.
- - - - - - - - - - - - - Frame 1454 - - - - - - - - - - - - - -
SUMMARY Delta T NW Util From . From .
1454 0.2823 0.13% 3Com 7468BE Cisco 0A4C91
DLC Ethertype=0800, size=60 bytes
IP D=[xxx.xxx.xxx.xxx] S=[203.241.159.180] LEN=24 ID=62335
TCP D=4126 S=25 SYN ACK=2872491522 SEQ=935105536 LEN=0 WIN=9216
DLC: ----- DLC Header -----
DLC: Frame 1454 arrived at 10:39:40.8363; frame size is 60
(003C hex) bytes.
DLC: Destination = Station 3Com 7468BE
DLC: Source = Station Cisco 0A4C91
DLC: Ethertype = 0800 (IP)
IP: ----- IP Header -----
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 44 bytes
IP: Identification = 62335
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 237 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = D104 (correct)
IP: Source address = [203.241.159.180], Unknown_d00d
IP: Destination address = [xxx.xxx.xxx.xxx], Clueless
IP: No options
TCP: ----- TCP header -----
TCP: Source port = 25 (SMTP)
TCP: Destination port = 4126
TCP: Initial sequence number = 935105536
TCP: Acknowledgment number = 2872491522
TCP: Data offset = 24 bytes
TCP: Flags = 12
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..1. = SYN
TCP: .... ...0 = (No FIN)
TCP: Window = 9216
TCP: Checksum = 6956 (correct)
TCP: Options follow
TCP: Maximum segment size = 512
- - - - - - - - - - - - - Frame 1455 - - - - - - - - - - - - - -
SUMMARY Delta T NW Util From . From .
1455 0.0004 0.13% Cisco 0A4C91 3Com 7468BE
DLC Ethertype=0800, size=60 bytes
IP D=[203.241.159.180] S=[xxx.xxx.xxx.xxx] LEN=20 ID=4051
TCP D=25 S=4126 RST WIN=0
DLC: ----- DLC Header -----
DLC: Frame 1455 arrived at 10:39:40.8368; frame size is 60
(003C hex) bytes.
DLC: Destination = Station Cisco 0A4C91
DLC: Source = Station 3Com 7468BE
DLC: Ethertype = 0800 (IP)
IP: ----- IP Header -----
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 4051
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 60 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = A5B6 (correct)
IP: Source address = [xxx.xxx.xxx.xxx], Clueless
IP: Destination address = [203.241.159.180], Unknown_d00d
IP: No options
TCP: ----- TCP header -----
TCP: Source port = 4126
TCP: Destination port = 25 (SMTP)
TCP: Sequence number = 2872491522
TCP: Data offset = 20 bytes
TCP: Flags = 04
TCP: ..0. .... = (No urgent pointer)
TCP: ...0 .... = (No acknowledgment)
TCP: .... 0... = (No push)
TCP: .... .1.. = Reset
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 0
TCP: Checksum = 6D29 (correct)
TCP: No TCP options
- - - - - - - - - - - - - Frame 1493 - - - - - - - - - - - - - -
SUMMARY Delta T NW Util From . From .
1493 0.2622 0.13% 3Com 7468BE Cisco 0A4C91
DLC Ethertype=0800, size=60 bytes
IP D=[xxx.xxx.xxx.xxx] S=[203.241.159.180] LEN=24 ID=62336
TCP D=4126 S=25 SYN ACK=2872491522 SEQ=935809536 LEN=0 WIN=9216
DLC: ----- DLC Header -----
DLC: Frame 1493 arrived at 10:39:46.3716; frame size is 60
(003C hex) bytes.
DLC: Destination = Station 3Com 7468BE
DLC: Source = Station Cisco 0A4C91
DLC: Ethertype = 0800 (IP)
IP: ----- IP Header -----
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 44 bytes
IP: Identification = 62336
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 237 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = D103 (correct)
IP: Source address = [203.241.159.180], Unknown_d00d
IP: Destination address = [xxx.xxx.xxx.xxx], Clueless
IP: No options
TCP: ----- TCP header -----
TCP: Source port = 25 (SMTP)
TCP: Destination port = 4126
TCP: Initial sequence number = 935809536
TCP: Acknowledgment number = 2872491522
TCP: Data offset = 24 bytes
TCP: Flags = 12
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..1. = SYN
TCP: .... ...0 = (No FIN)
TCP: Window = 9216
TCP: Checksum = AB4B (correct)
TCP: Options follow
TCP: Maximum segment size = 512
- - - - - - - - - - - - - Frame 1494 - - - - - - - - - - - - - -
SUMMARY Delta T NW Util From . From .
1494 0.0004 0.13% Cisco 0A4C91 3Com 7468BE
DLC Ethertype=0800, size=60 bytes
IP D=[203.241.159.180] S=[xxx.xxx.xxx.xxx] LEN=20 ID=4072
TCP D=25 S=4126 RST WIN=0
DLC: ----- DLC Header -----
DLC: Frame 1494 arrived at 10:39:46.3720; frame size is 60
(003C hex) bytes.
DLC: Destination = Station Cisco 0A4C91
DLC: Source = Station 3Com 7468BE
DLC: Ethertype = 0800 (IP)
IP: ----- IP Header -----
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 4072
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 60 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = A5A1 (correct)
IP: Source address = [xxx.xxx.xxx.xxx], Clueless
IP: Destination address = [203.241.159.180], Unknown_d00d
IP: No options
TCP: ----- TCP header -----
TCP: Source port = 4126
TCP: Destination port = 25 (SMTP)
TCP: Sequence number = 2872491522
TCP: Data offset = 20 bytes
TCP: Flags = 04
TCP: ..0. .... = (No urgent pointer)
TCP: ...0 .... = (No acknowledgment)
TCP: .... 0... = (No push)
TCP: .... .1.. = Reset
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 0
TCP: Checksum = 6D29 (correct)
TCP: No TCP options
- - - - - - - - - - - - - Frame 1517 - - - - - - - - - - - - - -
SUMMARY Delta T NW Util From . From .
1517 0.0421 0.24% 3Com 7468BE Cisco 0A4C91
DLC Ethertype=0800, size=60 bytes
IP D=[xxx.xxx.xxx.xxx] S=[203.241.159.180] LEN=24 ID=62337
TCP D=4126 S=25 SYN ACK=2872491522 SEQ=939073536 LEN=0 WIN=9216
DLC: ----- DLC Header -----
DLC: Frame 1517 arrived at 10:40:10.3717; frame size is 60
(003C hex) bytes.
DLC: Destination = Station 3Com 7468BE
DLC: Source = Station Cisco 0A4C91
DLC: Ethertype = 0800 (IP)
IP: ----- IP Header -----
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 44 bytes
IP: Identification = 62337
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 237 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = D102 (correct)
IP: Source address = [203.241.159.180], Unknown_d00d
IP: Destination address = [xxx.xxx.xxx.xxx], Clueless
IP: No options
TCP: ----- TCP header -----
TCP: Source port = 25 (SMTP)
TCP: Destination port = 4126
TCP: Initial sequence number = 939073536
TCP: Acknowledgment number = 2872491522
TCP: Data offset = 24 bytes
TCP: Flags = 12
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..1. = SYN
TCP: .... ...0 = (No FIN)
TCP: Window = 9216
TCP: Checksum = DD19 (correct)
TCP:
TCP: Options follow
TCP: Maximum segment size = 512
TCP:
- - - - - - - - - - - - - Frame 1518 - - - - - - - - - - - - - -
SUMMARY Delta T NW Util From . From .
1518 0.0004 0.24% Cisco 0A4C91 3Com 7468BE
DLC Ethertype=0800, size=60 bytes
IP D=[203.241.159.180] S=[xxx.xxx.xxx.xxx] LEN=20 ID=4102
TCP D=25 S=4126 RST WIN=0
DLC: ----- DLC Header -----
DLC: Frame 1518 arrived at 10:40:10.3721; frame size is 60
(003C hex) bytes.
DLC: Destination = Station Cisco 0A4C91
DLC: Source = Station 3Com 7468BE
DLC: Ethertype = 0800 (IP)
IP: ----- IP Header -----
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 4102
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 60 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = A583 (correct)
IP: Source address = [xxx.xxx.xxx.xxx], Clueless
IP: Destination address = [203.241.159.180], Unknown_d00d
IP: No options
TCP: ----- TCP header -----
TCP: Source port = 4126
TCP: Destination port = 25 (SMTP)
TCP: Sequence number = 2872491522
TCP: Data offset = 20 bytes
TCP: Flags = 04
TCP: ..0. .... = (No urgent pointer)
TCP: ...0 .... = (No acknowledgment)
TCP: .... 0... = (No push)
TCP: .... .1.. = Reset
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 0
TCP: Checksum = 6D29 (correct)
TCP: No TCP options
|
|
