[Dshield] Source port zero...

Freek de Kruijf f.de.kruijf at hetnet.nl
Tue Dec 6 22:12:02 GMT 2005


Op dinsdag 6 december 2005 17:46, schreef J Lake:
> > Are these spoofed IP's associated with port zero? The target port are
> > the usual 1025 1026.  What might these be?
>
> Someone posted a reply to this problem a couple months ago.
> I believe they said it was caused by fragmented packets. The port number
> only shows in the header, not in any of the subsequent fragments. At
> least that is what I think was said.

I receive these packages also and analysed a number of these packets. They 
are not fragmented packets, but MS Messenger packets with some 
advertisement for "security" software :-(.

-- 
fr.gr.

Freek



More information about the list mailing list