Re: mysterious network activity every 10 secs

[tolls <tolls_(_at_)_kencaryl_(_dot_)_net>]

I thought I'd just follow-up to fill in anyone that might be
interested in this thread - my apologies to those who aren't.  I
emailed my ISP regarding the packets and they repsonded saying they
were in the process of implementing OSPF and that that was why I was
seeing the packets coming from their router.  It was simply an odd
coincidence that the packets started at the same time I installed the
Opera webbrowser. (You can hardly blame me for being suspicious with
that weird advertising window on the opera browser.)  Last but not
least, I wanted to thank those that helped me investigate this.  I
appreciate the guidance.  I kind of wish it might have turned out a
bit more interesting.  Thanks.

James

On Fri, 15 Feb 2002 08:12:15 -0700
tolls <tolls_(_at_)_kencaryl_(_dot_)_net> wrote:

> I'm sorry about the lag in replying - I went to bed.  As far as my
> network layout goes, this is just an older machine I'm running on my
> home LAN.  There are two other computers, and they all hok upto and
> use DHCP from a Linksys broadband router.  I'm sure this isn't
coming
> from the other two computers because nothing's been installed there
> and they're just Windows boxes.  I don't remember reading anything
> about OSPF in the documentation for my Linksys router but I ought to
> check that again.  I'm running httpd and bind4 from 3.0.  These
> packets started after I installed linux emulation and the opera
> webbrowser.  Since then I uninstalled opera, but the OSPR packets
> remain.  Here's the info I've got.  Both confirm the source of the
> packets is rtr1.kcrw.needhighspeed.net.  needhighspeed is my ISP. 
I'm
> toll.kcrw.needhighspeed.net.  I don't know what the rtr1 node is
> though.  ethereal also indicates that the destination is
> OSPF-All.MCAST.NET.  Like I said before, I really appreciate all
those
> that have helped me investigate this, this far.  And thanks in
advance
> for any additional help. 
> 
> Here's a sample packet from tcpdump:
> 21:34:01.897673 OSPRv2-hello 44: rtrid 192.168.254.4 backbone auth
MD5
> E mask 255.255.255.240 int 10 pri 1 dead 40 dr
> rtr1.kcrw.needhighspeed.net nbrs [tos 0xc0] [ttl 1] (id 21249)
> 
> And here's another packet from ethereal:
> Frame 1 (94 on wire, 94 captured)
>     Arrival Time: Feb 14, 2002 21:52:41.975060
>     Time delta from previous packet: 0.000000 seconds
>     Time relative to first packet: 0.000000 seconds
>     Frame Number: 1
>     Packet Length: 94 bytes
>     Capture Length: 94 bytes
> Ethernet II
>     Destination: 01:00:5e:00:00:05 (01:00:5e:00:00:05)
>     Source: 00:04:5a:22:14:71 (atlas.t011.com)
>     Type: IP (0x0800)
> Internet Protocol, Src Addr: rtr1.kcrw.needhighspeed.net
> (216.87.90.145), Dst Addr: OSPF-ALL.MCAST.NET (224.0.0.5)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector
6;
> ECN: 0x00)
>         1100 00.. = Differentiated Services Codepoint: Class
Selector
> 6 (0x30)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 80
>     Identification: 0x565c
>     Flags: 0x00
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 1
>     Protocol: OSPF (0x59)
>     Header checksum: 0x4f4b (correct)
>     Source: rtr1.kcrw.needhighspeed.net (216.87.90.145)
>     Destination: OSPF-ALL.MCAST.NET (224.0.0.5)
> Open Shortest Path First
>     OSPF Header
>         OSPF Version: 2
>         OSPF Packet Type: 1 (Hello Packet)
>         Packet Length: 44
>         Source OSPF Router ID: 192.168.254.4
>         Area ID: Backbone
>         Packet Checksum: 0x0000 (incorrect, should be 0xd0dc)
>         Auth Type: Cryptographic
>         Auth Key ID: 1
>         Auth Data Length: 16
>         Auth Crypto Sequence Number: 0x382c
>         Auth Data: 62DA93485499F171B29395595F5F55BE
>     OSPF Hello Packet
>         Network Mask: 255.255.255.240
>         Hello Interval: 10 seconds
>         Options: 0x2 (E)
>         Router Priority: 1
>         Router Dead Interval: 40 seconds
>         Designated Router: 216.87.90.145
>         Backup Designated Router: 0.0.0.0
> 
> 
> 
> On Thu, 14 Feb 2002 22:12:03 -0700
> tolls <tolls_(_at_)_kencaryl_(_dot_)_net> wrote:
> 
> > Well, I tried tcpdump and I just wasn't getting the hang of it so
I
> > installed ethereal and it was a little easier.  The info I got
from
> a
> > few minutes of sniffing was that these are OSPF transmissions.  I
> had
> > to look that up on google but they're apparently "Open Shortest
Path
> > First" messages.  But I'm still not sure why this just started and
> > whether I should be concerned about it.  Is this a problem? 
Thanks
> > for the help in getting the info and for any additional advice
that
> > can be offered.  Thanks.
> > 
> > James
> > 
> > 
> > On Thu, 14 Feb 2002 20:54:49 -0700
> > tolls <tolls_(_at_)_kencaryl_(_dot_)_net> wrote:
> > 
> > > I don't know if I should be addressing this on misc@ or maybe on
> > > ports@ since it started after I installed three packages.  But
> > here's
> > > the problem.  I installed 2 packages to setup linux_compat:
> > > redhat_base-6.2p2
> > > redhat_motif-2.1.30
> > > And then I installed this port:
> > > opera-5.05tp1p1
> > > 
> > > Since installing all three I've noticed ethernet traffic on my
> > Gkrellm
> > > monitor every 10 seconds.  It just looks like a small ping or
> > > something.  I've checked top -S and don't see anything that
wasn't
> > > there before.  Additionally, I pkg_delete the opera port to see
if
> > it
> > > was the problem.  The mysterious ethernet traffic continues. 
I've
> > > never had to track down rogue ethernet traffic before.  What do
I
> > use
> > > to investigate this?  Some type of packet sniffer?  ntop?  Is
> there
> > an
> > > easy way to find out the IP that this traffic is directed at or
> what
> > > piece of software is generating this activity?  Any suggestions
> > would
> > > be appreciated.  Thanks.
> > > 
> > > James