[Dshield] I should recognize this, but...

Deb Hale haled at pionet.net
Wed Apr 28 13:55:31 GMT 2004


It looks like GNUTella.  I believe it is another of the file sharing
programs.

Deb

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Josh Tolley
Sent: Tuesday, April 27, 2004 3:09 PM
To: General DShield Discussion List
Subject: [Dshield] I should recognize this, but...


I think I should probably recognize this traffic, but I don't. Anyone 
know what it is from? Snort says it's p2p traffic, and I'm willing to 
believe it, but I'm looking for specifics on the client, if it really is 
p2p. Google didn't turn up much for me... TIA

Generated by ACID v0.9.6b23 on Tue, 27 Apr 2004 13:00:30 -0700

----------------------------------------------------------------------------
--
#(5 - 12032) [2004-04-26 10:07:17] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=204 ID=6189 flags=0 offset=0 TTL=128
TCP:  port=2699 -> dport: 8200  flags=***AP*** seq=846113190
       ack=1475707860 off=5 res=0 win=64512 urp=0 chksum=45838
Payload:  length = 164

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 36 26 6E 6F 63 61 63 68 65 3D 31 30   mp=46&nocache=10
060 : 39 26 73 65 71 3D 30 26 74 74 6C 3D 30 26 61 67   9&seq=0&ttl=0&ag
070 : 65 6E 74 32 2E 73 74 61 74 65 3D 65 78 69 74 26   ent2.state=exit&
080 : 6D 61 73 74 65 72 2E 6D 61 69 6E 53 77 69 74 63   master.mainSwitc
090 : 68 3D 63 6C 6F 73 65 20 48 54 54 50 2F 31 2E 30   h=close HTTP/1.0
0a0 : 0D 0A 0D 0A                                       ....
----------------------------------------------------------------------------
--
#(5 - 12033) [2004-04-26 10:07:17] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=163 ID=6194 flags=0 offset=0 TTL=128
TCP:  port=2700 -> dport: 8200  flags=***AP*** seq=846282988
       ack=683867581 off=5 res=0 win=64512 urp=0 chksum=64740
Payload:  length = 123

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 39 26 6E 6F 63 61 63 68 65 3D 31 31   mp=49&nocache=11
060 : 30 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   0&seq=0&ttl=12 H
070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....
----------------------------------------------------------------------------
--
#(5 - 12030) [2004-04-26 10:07:16] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=233 ID=6168 flags=0 offset=0 TTL=128
TCP:  port=2697 -> dport: 8200  flags=***AP*** seq=845784452
       ack=611653591 off=5 res=0 win=64512 urp=0 chksum=53
Payload:  length = 193

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 32 26 6E 6F 63 61 63 68 65 3D 31 30   mp=42&nocache=10
060 : 37 26 73 65 71 3D 30 26 74 74 6C 3D 30 26 61 67   7&seq=0&ttl=0&ag
070 : 65 6E 74 32 2E 65 78 69 74 43 61 75 73 65 3D 30   ent2.exitCause=0
080 : 26 6D 61 73 74 65 72 2E 63 6C 6F 73 65 4F 72 69   &master.closeOri
090 : 67 69 6E 3D 61 67 65 6E 74 32 26 6D 61 73 74 65   gin=agent2&maste
0a0 : 72 2E 6D 61 69 6E 53 77 69 74 63 68 3D 63 6C 6F   r.mainSwitch=clo
0b0 : 73 69 6E 67 20 48 54 54 50 2F 31 2E 30 0D 0A 0D   sing HTTP/1.0...
0c0 : 0A                                                .
----------------------------------------------------------------------------
--
#(5 - 12031) [2004-04-26 10:07:16] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=163 ID=6184 flags=0 offset=0 TTL=128
TCP:  port=2698 -> dport: 8200  flags=***AP*** seq=845984488
       ack=4155776466 off=5 res=0 win=64512 urp=0 chksum=39401
Payload:  length = 123

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 33 26 6E 6F 63 61 63 68 65 3D 31 30   mp=43&nocache=10
060 : 38 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   8&seq=0&ttl=12 H
070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....
----------------------------------------------------------------------------
--
#(5 - 12029) [2004-04-26 10:07:12] [snort/1432]  P2P GNUTella GET
IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
       hlen=5 TOS=0 dlen=163 ID=6085 flags=0 offset=0 TTL=128
TCP:  port=2688 -> dport: 8200  flags=***AP*** seq=844537804
       ack=3113570246 off=5 res=0 win=64512 urp=0 chksum=48208
Payload:  length = 123

000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET /jedi?reques
010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   t=agent&jedi=100
020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   &clct_ok=1&sessi
030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   on=1155717226&ti
040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   cket=102&timesta
050 : 6D 70 3D 34 32 26 6E 6F 63 61 63 68 65 3D 31 30   mp=42&nocache=10
060 : 36 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   6&seq=0&ttl=12 H
070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....

-- 
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000

_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list






More information about the list mailing list