[Intrusions] Odd Protocol Type Conversation

Jason Tant ingress976 at gmail.com
Fri Dec 10 15:43:51 GMT 2004 

Good day,

Recently, I began seeing the below flows between several machines on
one of my client's networks.  Machine A (73:30:50) appears to be
attempting to request bootstrapping through Cisco switch B (09:AC:B0)
to a DHCP server C (51:50:0B).  My questions are:  If these are valid
request, then why is the protocol type in frames 1 & 2 0xffff?  Why is
there data in the last portion of both packets 1 & 2?  And why does my
domain name appear in the end of the return packet (packet 2)?

0000  00 90 27 51 50 0b 00 50  73 09 ac b0 ff ff 00 00   ..'QP..P s.......
0010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 f0 70   ........ .......p
00d0  f0 b4 92 70 f0 b4 d0 f0  b0 b4 70 f0 f0 34 d8 f0   ...p.... ..p..4..
00e0  b0 b4 f0 f0 f0 94 f4 f0  70 30 e0 f0 f0 f0 f8 f0   ........ p0......
00f0  f4 30 f0 f0 d0 b0 f0 e0  f0 f0 d0 b0 d0 f0 f0 f0   .0...... ........
0100  f0 f4 f0 b0 90 fc f0 b0  f0 f4 70 f0 f0 b0         ........ ..p...  
-------------------------------------------------------------------------------------------------------------
0000  00 50 73 09 ac b0 00 90  27 51 50 0b ff ff 00 00   .Ps..... 'QP.....
0010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00b0  00 63 82 53 63 35 01 05  3a 04 00 00 a8 c0 3b 04   .c.Sc5.. :.....;.
00c0  00 01 27 50 33 04 00 01  51 80 36 04 c0 a8 0a 0a   ..'P3... Q.6.....
00d0  01 04 ff ff ff 00 0f 10  XX XX XX XX XX XX XX XX   ........ mydomain
00e0  XX XX XX XX XX XX XX 00  03 04 c0 a8 0a 01 2c 08   dot.com. ......,.
00f0  c0 a8 0a 0a c0 a8 0a 06  2e 01 08 06 10 c0 a8 0a   ........ ........
0100  06 c0 a8 0a c0 8a b4 be  78 8a b4 be 79 ff         ........ x...y.  
-------------------------------------------------------------------------------------------------------------
0000  00 90 27 51 50 0b 00 50  73 09 ac b0 08 00 45 00   ..'QP..P s.....E.
0010  01 48 6a b3 00 00 ff 11  ba 87 c0 a8 0a 0f c0 a8   .Hj..... ........
0020  0a 0a 00 43 00 43 01 34  25 13 01 01 06 01 00 00   ...C.C.4 %.......
0030  07 e2 d8 2b 00 00 00 00  00 00 00 00 00 00 00 00   ...+.... ........
0040  00 00 c0 a8 0a 0f 00 60  fd 73 30 50 f0 f0 f0 e0   .......` .s0P....
0050  f0 d0 d0 f2 f0 b8 00 00  00 00 00 00 00 00 00 00   ........ ........
0060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0110  00 00 00 00 00 00 b0 fd  d0 f0 fc f0 f8 7d b2 fc   ........ .....}..
0120  f0 f2 f0 f0 f2 f8 f0 f8  f0 f8 f2 fc f4 fc f0 f0   ........ ........
0130  f8 7c f0 f0 f0 fc fc f6  f0 fc f0 f0 f8 f0 f0 f8   .|...... ........
0140  f0 b0 f0 f8 f8 f8 f0 b0  f0 f4 f5 f6 f8 f0 f0 f1   ........ ........
0150  f1 f2 f0 f0 f1 f4                                  ......           
---------------------------------------------------------------------------------------------------------------

Any insight appreciated.

Jason

More information about the Intrusions mailing list