Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Mystery Packets, Protocol 139 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mystery Packets, Protocol 139
I am just on vacation at my parents place, and while doing some network maintenance, I came across these two mystery packets:

17:07:17.405771 IP 192.168.178.255 > 255.255.255.255:  ip-proto-139 30
	0x0000:  4500 0032 0003 0000 ff8b 8c57 c0a8 b2ff  E..2.......W....
	0x0010:  ffff ffff 0100 0200 0000 0000 0000 0000  ................
	0x0020:  0000 a2c0 d297 bcc3 6c40 1ad5 d0bf 382a  ........l@....8*
	0x0030:  ab63                                     .c
17:07:17.406835 IP 192.168.178.255 > 255.255.255.255:  ip-proto-139 30
	0x0000:  4500 0032 0001 0000 ff8b 8c57 c0a8 b2ff  E..2.......W....
	0x0010:  ffff ffff 0100 0100 0000 0000 0000 0000  ................
	0x0020:  0000 1b3c 90a3 4ac1 50b7 930a b723 a181  ...<..J.P....#..
	0x0030:  431a                                     C.

A bit about the network: 3 PCs, 2 Macs running Leopard. Each Mac runs vmware with Windows XP. All the PCs run Windows XP. There is a "FritzBox" DSL router. Part of the network is wireless. Other then that, there isn't that much special about the network. The hosts run firewalls which are pretty much open locally.

No idea so far why these packets show up. Kind of looks like they are corrupted netbios packets (port 139 > protocol 139?). But why broadcast like this? Please let us know if you have any ideas.

-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3696 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!