Out reader submitted to us severalodd packets. Of course, I cant resist to figure out what is exactly going on here: The packets appearto include a lengthy pre-ample, but I have no idea what would cause this. After the pre-ample, we got what looksl ike a normal Link-Local MulticastName ResolutionPacket."> 0x0000: 0000 2900 0033 0000 3700 0000 0000 0000 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 0x0030: 0000 0100 5e00 00fc 6451 06a1 43c6 8100 0x0040: 00a7 0800 4500 0033 355a 0000 0111 599b 0x0050: XXXX XXXX e000 00fc c59d 14eb 001f 0c38 0x0060: 8669 0000 0001 0000 0000 0000 0555 3231">0100 5e00 00fc 6451 06a1 43c6 8100 0x0040: 00a7 0800
0100 5e00 00fc : Destination MAC for multicast address used
6451 06a1 43c6: Source MAC. The OUI is a assigned to HP
8100 00a7 : VLAN tag
0800 : ethernet type for IPv4
IPv4 Header
0x0040: .... .... 4500 0033 355a 0000 0111 599b 0x0050: XXXX XXXX e000 00fc IPv4, normal header length (20 bytes), TOS=0Total Datagram Length: 0x33 (51)IP ID: 0x355a, no fragmentation flags, no offsetTTL: 1Protocol: 0x11 (UDP, 17)IP checksum: 0x599bSource IP: [obfuscated, since it was a public routable IP]Destiation IP: 224.0.0.252 - LLMNR Multicast Name Resolution, RFC4795UDP Header 0x0050: .... .... .... .... c59d 14eb 001f 0c38Source Port: 50589Dest. Port: 5355 (normal port for LLMNR)UDP Length: 31 bytesUDP Checksum: 0x0c38mDNS Payload 0x0060: 8669 0000 0001 0000 0000 0000 0555 3231 0x0070: 3038 0000 ff00 01
Query ID: 0x8669
Flags: 0x0000 (this is a query)
Queries: 1, Answers: 0, Name Servers: 0, Additional records: 0
Query: 05 55 32 31 30 38 00 - U2108
Type: 00 ff - ANY
Please comment or use our contact form to let us know if you have seen traffic like this.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.