[Dshield] Source port zero...
Freek de Kruijf
f.de.kruijf at hetnet.nl
Tue Dec 6 22:12:02 GMT 2005
Op dinsdag 6 december 2005 17:46, schreef J Lake:
> > Are these spoofed IP's associated with port zero? The target port are
> > the usual 1025 1026. What might these be?
> Someone posted a reply to this problem a couple months ago.
> I believe they said it was caused by fragmented packets. The port number
> only shows in the header, not in any of the subsequent fragments. At
> least that is what I think was said.
I receive these packages also and analysed a number of these packets. They
are not fragmented packets, but MS Messenger packets with some
advertisement for "security" software :-(.
More information about the list