tcpdump puts the interface into promiscuous mode, meaning it sees and processes all the packets on the wire, not just those addressed to the interface.
I'll note that the packets are correctly being acked etc., meaning that whomever they are addressed to is happily talking -- and thus unlikely to be spoofed (ack 90K bytes into a session)... You are assuming that your connection to the ISP is a point-to-point like (not unshared). Depending upon how you are actually connected, that may be incorrect. And, as long as you're getting your CIR (Committed Information Rate), completely irrelevant. I would 1) Do some whois searches on the mystery packets - perhaps that's the address of the business next door? 2) Ask your ISP. Don't tell them they've misconfigured, take the tack of the supplicant. "Gee Mr. ISP, I'm trying to setup an IDS and I've found all these packets I didn't expect to see. Can you tell me how the connectivity from our premises to your data center is setup? It is shared with other customers?" etc. -- on the more flies with sugar concept. -----Burton -----Original Message----- From: Peter Pfannenschmid [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 1:42 PM To: [EMAIL PROTECTED] Subject: traffic analysis wanted... G' Day, not a complete newbie, but this one is not clear to me although I have googled, grouped and read some documents about the TCP/IP protocol: We have a server hosted by an ISP. The server has its own subnet s1.s2.s3.s4/28 with multiple IP adresses. Since some days, there are several thousand TCP/IP packets per day which hit our server; nor the source IP address neither the destination IP address of these packets are part of our server's subnet. 'tcpdump -n -vvv ip and not net 62.146.42.48/28' says for example: 19:15:45.830294 s1.s2.s5.s6.smtp > d1.d2.d3.d4.27975: . 173:173(0) ack 97523 win 62780 (DF) (ttl 64, id 3691) s1.s2.s5.s6 and d1.d2.d3.d4 are not part of our s1.s2.s3.s4/28 subnet. 'tcpdump -en -vvv ip and not net 62.146.42.48/28' says for example: 19:04:04.352676 0:4:76:16:c8:1f Broadcast ip 1518: 62.146.28.150.http > 24.132.142.176.ampr-inter: . 1:1461(1460) ack 301 win 6432 (DF) (ttl 64, id 23341) The question is: Why are these packets routed to our server / its subnet? My conclusion is that our ISP has a misconfiguration on his routers. The other possibility would be that the machine from which the traffic originates (let's name this machine "host A") means our server to be a gateway, i.e. host A is misconfigured or hacked. But a gateway has to be on the same ethernet segment as its clients, hasn't it? So our server would not be seen by host A directly. Since there are no other machines in our /28 subnet, there must be a misconfiguration in our ISP's router. Before our ISP telling to correct this, I would like to hear the opinions of the experts. Is there any possible reason (besides misconfiguration of our ISP's router and besides spoofing and hacking) which could lead to the situation that our server (which sits alone in his /28 subnet) receives packets with destination IPs outside his subnet? Thank you very much, Peter
