Analysis of Packet filter operation on 2/10/05 by Marc Lacasse
no suppression ~ 4 minutes of data click here for full data log
# entries cum % total type
663 total in 4 minutes
349 349 52.6% 128.196.100.x to 128.196.100.255
86 435 65.6% 128.196.100.51.631 to all
83 518 78.1% 128.196.100.50.631 to all
37 555 83.7% 128.196.100.19.631 to all
69 624 94.1% 192.33.141.x to 192.33.14.255
23 647 97.6% 192.33.141.31.631 to all
suppressing local net and port bootpc 10 hours click here for full data log
ignore source={128.196.100.x, 192.33.141.x, 199.104.148.x}, port bootpc
# entries cum. % of total type
746 total
283 283 37.9% 169.254.16.38.netbios-nsto 169.254.255.255
147 430 57.6% 169.254.4.112.netbios-dgmto 169.254.255.255
87 517 69.3% 169.254.40.111.netbios-dgmto 169.254.255.255
57 574 76.9% call 1816 seq 11xxx
52 626 83.9% 24.1 -> 25.9 > 199.104.149.x.1027 udp880 *** suspicious ***
40 666 89.3% icmp6: router solicitation
32 698 93.6% (DF)
13 711 95.3% 64.62.253.55.www
7 718 96.2% icmp6: neighbor sol:who has
About 98 % of the traffic originates in the MMT net or the Ridge network.
Some of it is broadcast to everyone (255.255.255.255) which seems odd.
The internal MMT broadcasts ( to 128.196.100.255) constitute over
half of the traffic arriving at IOTA.
Of the non local traffic
The 169.254 subnet is contributing almost 70% of the traffic filtered out.
Why are these messages appearing on our network?
[Note from Ted Groner - this network handles misconfigured DNS/DHCP servers.
or from the web
If your local IP address is returned as 169.254.y.z with a
subnet mask of 255.255.0.0, the IP address was assigned by the
Automatic Private IP Addressing (APIPA) feature of Windows XP
Professional. This assignment means that TCP/IP is configured
for automatic configuration, that no DHCP server was found,
and that no alternative configuration is specified. ]
The 54 entries from the 24.x.x.x and 25.x.x.x networks are suspicious.
They appear in clusters with the source being changed and the target running through
the computers at IOTA.
Ted Groner suggested putting SNORT on the inside of the net to see if anything
is coming though. I looked t information at the website on the program but I
don't feel comfortable installing that myself.
Angela's old computer Fringes could be used since is is not doing very much at present.
data logs are in text with tab delimiters.
I find it useful to read into a spreadsheet and then sort pieces of it by source, destination or type.
Some of the text lines are rather long.
Marc Lacasse
2/11/2005
Additional data taken on 2/17-19/05
packlog218a 2/16/05 2/18/05
3:41 PM 7:57 PM
duration (hours) 52.275277778
# entries 1813
cum. % Number Type
% items
1817 total
Router traffic
20 358 icmp6: router solicitation
12 213 199.104.149.17.domain:
35 4 70 icmp6: neighbor sol: who has x
Win traffic
9 162 win 16384 (DF)
6 113 win 64240 (DF)
6 111 win 65535 (DF)
2 43 win 64800 (DF)
2 39 win 5840 (DF)
29 4 66 other win XXXXX
Suspicious traffic
14 255 24.20.x.x to 25.41.x.x > iota.x udp 880
Other traffic
6 100 >128.196.100.107.3068:
3 53 >206.197.219.142.x: ack
2 41 128.196.128.234>iota.15 udp port netbios-nS unreachable
2 40 > 224.0.0.x: igmp
2 36 170.224.33.x>iota.9
1 26 >192.33.141.10.38293: udp 16
1 25 >199.104.149.17.32805: udp204 (DF)
1 25 >199.104.149.9.x: udp 4
1 13 >206.197.219.x.x:
1 24 leftover