My next class:

Mystery Packets, Protocol 139

Published: 2007-11-20. Last Updated: 2007-11-20 17:57:27 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

Quick update: The source MAC address is the MAC address of the Windows XP system running in VMWare Fusion 1.1 (updated yesterday). The destination MAC address is the broadcast address (all FF). One reader (Mike) suggested that this is part of wireless access points trying to find each other. There are three wireless access points that are part of this WDS, but given the MAC address, I don't think this is related.

I am just on vacation at my parents place, and while doing some network maintenance, I came across these two mystery packets:

17:07:17.405771 IP 192.168.178.255 > 255.255.255.255:  ip-proto-139 30
	0x0000:  4500 0032 0003 0000 ff8b 8c57 c0a8 b2ff  E..2.......W....
	0x0010:  ffff ffff 0100 0200 0000 0000 0000 0000  ................
	0x0020:  0000 a2c0 d297 bcc3 6c40 1ad5 d0bf 382a  ........l@....8*
	0x0030:  ab63                                     .c
17:07:17.406835 IP 192.168.178.255 > 255.255.255.255:  ip-proto-139 30
	0x0000:  4500 0032 0001 0000 ff8b 8c57 c0a8 b2ff  E..2.......W....
	0x0010:  ffff ffff 0100 0100 0000 0000 0000 0000  ................
	0x0020:  0000 1b3c 90a3 4ac1 50b7 930a b723 a181  ...<..J.P....#..
	0x0030:  431a                                     C.

A bit about the network: 3 PCs, 2 Macs running Leopard. Each Mac runs vmware with Windows XP. All the PCs run Windows XP. There is a "FritzBox" DSL router. Part of the network is wireless. Other then that, there isn't that much special about the network. The hosts run firewalls which are pretty much open locally.

No idea so far why these packets show up. Kind of looks like they are corrupted netbios packets (port 139 > protocol 139?). But why broadcast like this? Please let us know if you have any ideas.

-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives