NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-04

RE: [Snort-users] a lot of Loopback traffic being logged.

From: Milan Kocián (milonwq.cz)
Date: Sun Apr 25 2004 - 13:24:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2004-04-23 at 19:23, Chuck Holley wrote:
> Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed for a
> while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump
>
> Im assuming im doing this right. Im trying to log only packets form
> 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and write
> to a file called dump.
>
> Now, I did this and got two loggings in tcpdump:
>
> 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack 799408129
> win 0
> 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack 1316880385
> win 0
>
> hal2 is the server that has tcpdump on it. Is this machine one of the boxes
> that is sending out the 127.0.0.1, or did I simply pickup two packets sent
> out form hal2 to these other machines.
>
> I looked at snort and the exact same ip's, with the exact same ports were
> logged coming from 127.0.0.1
>
> To say the least im confused even more!!
>
>

Hi,
I see it on my external interface too. I used tcpdump with -e parameter
to display MAC address of the sender.

tcpdump -e -i eth1 src host 127.0.0.1

I find that MAC address of loopback packets is my ISP's Cisco switch.

So all packets come from external network (I think). I am connected over
wi-fi AP and when I sniffed, I have seen that these packets coming to
most connected people in this AP.

I don't know what it can be.

Regards,

Milan Kocian

-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]