PDA

View Full Version : Strange Packets


kristerlaag
07-02-2002, 08:52 AM
Yesterday i discovered that my machine sends out packets every 5 seconds. I have no clue to why.

sudo tcpdump -i en0 dst port 192
11:25:15.545581 krister.got.cmp.citat.se.49466 > 10.0.1.1.osu-nms: udp 4
11:25:20.545736 krister.got.cmp.citat.se.49468 > 10.0.1.1.osu-nms: udp 4

How do I find out whats transmits the packets?
I have tried killing processes until the system stops working, beginning with what I know is safe to kill.

Somebody have a clue?

/Krister

blb
07-02-2002, 03:26 PM
If krister.got.cmp.citat.se is your machine, then the interesting thing is the port number after that (49466 and 49468 in your post). Next time, pass that number to lsof:

sudo lsof -i :49468

but do note the port number will most likely be changing.

Also, that destination port 192 is OSU Network Monitoring System, if that has any meaning to you.

kristerlaag
07-03-2002, 02:50 AM
I tried sudo lsof -i :65353, but nothing came out.
I tried sudo lsof -r1 -i @10.1.0.59 | grep -v http |grep -v COMMAND |grep -v ===== to avoid uneccesary output, but nothing was printed.

I noticed that it ends and starts again with specific numbers.
09:35:45.545460 krister.got.cmp.citat.se.65534 > 10.0.1.1.osu-nms: udp 4
09:35:50.545421 krister.got.cmp.citat.se.65535 > 10.0.1.1.osu-nms: udp 4
09:35:55.545438 krister.got.cmp.citat.se.49152 > 10.0.1.1.osu-nms: udp 4
09:36:00.545441 krister.got.cmp.citat.se.49153 > 10.0.1.1.osu-nms: udp 4

And no, I donīt know what osu.nms is doing in my system.

Right now I have 3 options.
1) Reinstall my system
2) Block that port withing my system with a firewall
3) Keep digging - present choice

Problem is, net 10.0.1.1 is not a valid net on my network, so it is routed to my firewall that denys and logs every packet, every 5 seconds. It ruins my log.

HELP
/Krister

mervTormel
07-03-2002, 03:06 AM
i'm for option 3, the other two will deny learning anything.

let's think on this a while. perhaps a more granular approach will come to light.

there's got to be a simple way to sniff this out.

blb
07-03-2002, 07:53 PM
My guess as to why lsof didn't show anything was that whatever process is doing this already released that port...the output from those four you recently listed shows it retrying every five seconds, and it's kinda tough to see the right port, then run lsof in that time.

Other things to look at would be what's running. Using

ps axc -U root

will give everything running as root (I'm just guessing this may be running as root). The ones which are normal (and hence, can be ignored here): init, mach_init, kextd, update, dynamic_pager, autodiskmount, configd, syslogd, CrashReporter, netinfod, lookupd, ntpd, coreservicesd, inetd, nfsiod, automount, sendmail, SecurityServer, sshd, cron, writeconfig, httpd.

kristerlaag
07-04-2002, 02:56 AM
I did the 'ps -axc -U root' but there were only a few more processes than in your list.
java,sh,Host Relauncher,LaunchCFMApp

Once again, running tcpdump in one window, top in one and killing processes in the third.
After a while I got this message.

[krister:~] kristerl% sudo kill 835
sudo: uid 501 does not exist in the passwd file!
[krister:~] kristerl% /etc/mail/submit.cf: line 416: readcf: option RunAsUser: unknown user smmsp
/etc/mail/submit.cf: line 435: readcf: option TrustedUser: unknown user smmsp
Mail submission program must have RunAsUser set to non root user


I got this on all sequent tries to do sudo.
Making a new window i terminal.app I could not log in at all.
Thinking: Well, I could have killed some process that allowed me to do 'sudo', but what the heck has something in the /mail directory with that to do?

/Krister

kristerlaag
07-04-2002, 06:10 AM
To save my logfile in my Firewall from my strange packets, I made a rule that dropped my strange packets.
I did a new tcpdump and nothing came for about a minute.
I turned the new rule off and... still nothing. Went for lunch with tcpdump still on, this is what I saw when i came back.

[krister:~] kristerl% sudo tcpdump -i en0 |grep 10.0.1.1
tcpdump: listening on en0
11:12:04.678744 arp who-has 10.0.1.2 tell 10.0.1.1
11:15:04.691416 arp who-has 10.0.1.2 tell 10.0.1.1
11:18:04.704129 arp who-has 10.0.1.2 tell 10.0.1.1
11:21:04.716816 arp who-has 10.0.1.2 tell 10.0.1.1
11:21:10.011312 krister.got.cmp.citat.se.49231 > mail.citat.se.110: . ack 32039 win 33304 <nop,nop,timestamp 12616 6180158> (DF)
11:24:04.729498 arp who-has 10.0.1.2 tell 10.0.1.1
11:27:04.742227 arp who-has 10.0.1.2 tell 10.0.1.1
11:30:04.754988 arp who-has 10.0.1.2 tell 10.0.1.1
11:33:04.767647 arp who-has 10.0.1.2 tell 10.0.1.1
11:35:28.212657 krister.got.cmp.citat.se.50554 > 10.0.1.1.osu-nms: udp 4
11:35:28.214123 cisco3620.got.cmp.citat.se > krister.got.cmp.citat.se: icmp: redirect 10.0.1.1 to net firewall-inside.got.cmp.citat.se
11:35:33.212616 krister.got.cmp.citat.se.50555 > 10.0.1.1.osu-nms: udp 4
11:35:38.212633 krister.got.cmp.citat.se.50556 > 10.0.1.1.osu-nms: udp 4
11:35:43.212612 krister.got.cmp.citat.se.50557 > 10.0.1.1.osu-nms: udp 4
11:35:48.212659 krister.got.cmp.citat.se.50558 > 10.0.1.1.osu-nms: udp 4
11:35:53.212607 krister.got.cmp.citat.se.50559 > 10.0.1.1.osu-nms: udp 4
11:35:58.212602 krister.got.cmp.citat.se.50560 > 10.0.1.1.osu-nms: udp 4
11:36:03.212605 krister.got.cmp.citat.se.50561 > 10.0.1.1.osu-nms: udp 4
11:36:04.780334 arp who-has 10.0.1.2 tell 10.0.1.1
11:36:08.212600 krister.got.cmp.citat.se.50562 > 10.0.1.1.osu-nms: udp 4
11:36:13.212685 krister.got.cmp.citat.se.50563 > 10.0.1.1.osu-nms: udp 4
11:36:18.339868 krister.got.cmp.citat.se.50564 > 10.0.1.1.osu-nms: udp 4
11:36:23.212610 krister.got.cmp.citat.se.50565 > 10.0.1.1.osu-nms: udp 4


To me it seems that my defaultgateway (cisco3620) does a icmp redirect to me.
I will now look into my cisco.
Later:Nope, no clue there.

/Krister

blb
07-04-2002, 02:55 PM
Originally posted by kristerlaag
I did the 'ps -axc -U root' but there were only a few more processes than in your list.
java,sh,Host Relauncher,LaunchCFMApp

Something Java-based running as root? That could be interesting; the sh is most likely some script. Not sure what Host Relauncher is. LaunchCFMApp is a wrapper for some Carbon apps.

After a while I got this message.

[krister:~] kristerl% sudo kill 835
sudo: uid 501 does not exist in the passwd file!
[krister:~] kristerl% /etc/mail/submit.cf: line 416: readcf: option RunAsUser: unknown user smmsp
/etc/mail/submit.cf: line 435: readcf: option TrustedUser: unknown user smmsp
Mail submission program must have RunAsUser set to non root user

I got this on all sequent tries to do sudo.
Making a new window i terminal.app I could not log in at all.

Did netinfod and/or lookupd die? If they go away, the system looses knowledge of users, which would definitely cause those issues.

hayne
07-04-2002, 04:36 PM
The port 192 is used for udp broadcasts by the Airport base station (and probably other wireless access points). You may be seeing the replies to these probes.
There is a page giving more details about this at:
http://www.net.princeton.edu/software/osunms_probe/osunms_probe.8.html

kristerlaag
07-05-2002, 02:19 AM
Ahhh. Airport.
The previous post was the right track.
The host 10.0.1.1 is my Airport at home. When I turned the power off for my Airportcard in my PBTi, the packets stopped. Turning it on again made the packets come again.
Evidently, the Airport software searches the network for the basestation regardless of the fact that the active network port is a cable!
Do you think I should file this as a bug to Apple?

/Krister

hayne
07-05-2002, 03:11 AM
You might want to administer your Airport base station via ethernet.
The packets being sent allow your Mac to list the available base stations in the Airport admin utility.
So, no, it doesn't seem like a bug to me.

kristerlaag
07-06-2002, 04:12 AM
:o I disagree.
I think that the neccesary packets for looking up a basestation for administration should only be transmitted while my Adminsoftware is running.
Why should my machine transmit a packet every 5 seconds on my built-in ethernet port, only because the power to my Airport card is on? If they were transmitted on my Airport interface, I could understand that it is looking for a basestation, to present that to me in my Airport menu.
I think there should be a relation between packets sent out and the need for the answer from those packets.
I still need opinions backing my case to file this behavior as a bug.

/Krister :cool:

hayne
07-06-2002, 05:47 AM
Try disallowing these packets (with a firewall) and then see what isn't working.
Things to check:
1) Airport Admin utility
2) Airport menu (list of networks you can connect to)

mervTormel
07-06-2002, 07:49 AM
Originally posted by kristerlaag
...Why should my machine transmit a packet every 5 seconds on my built-in ethernet port, only because the power to my Airport card is on?...

some network protocols are very chatty and lonely and want constant assurance that someone hears their "whale song"

kristerlaag
07-07-2002, 11:42 AM
Just did a tcpdump -i en1 (Airportcard) and there were no packets until I selected "Other..." from the Airport menu. And there were only 1 packet, that is how it should work.

So, if I have an Aiportcard installed and it is active AND in use, no osu-nms packets are sent on either the inactive built-in interface or the active airport interface.
But if I attach a cable, packets are sent out every 5 seconds on that cable. Now that is strange to me.

I will send a report to Apple about this.

/Krister

kristerlaag
09-23-2002, 01:34 AM
Apple has acknowledged this behaviour as a .known issue

patashnik
09-23-2002, 05:18 AM
Originally posted by kristerlaag
Just did a tcpdump -i en1 (Airportcard) and there were no packets until I selected "Other..." from the Airport menu.

This is because putting an Airportcard in promiscuous mode, which tcpdump does if you don't specifically supply the -p argument, sort of crashes your wireless connection.

This is a known issue with Airport hardware, and something which hasn't (or perhaps cannot) be fixed by the OS.

Re-establishing the wireless link with your basestation 'resets' the connection again, so it will work (until the next time you run tcpdump without -p ;))

hayne
09-23-2002, 12:05 PM
Originally posted by patashnik
This is because putting an Airportcard in promiscuous mode, which tcpdump does if you don't specifically supply the -p argument, sort of crashes your wireless connection.

Doesn't happen for me (iBook, OS 10.2.1, connected via Airport only).
I run 'tcpdump -i en1' and I see some ARPA packets, a few UDP packets, then if I load a web page, I see a whole bunch of packets. My wireless connection seems to be just fine.

patashnik
09-23-2002, 03:14 PM
Hmmm, looks to me that I'm talking b*ll*cks :)

Apparently, the Airport driver seems to have been fixed in the 10.2 update.

I assumed it still didn't work on my machine, but I checked it out and it does work now :)