|
From: | Patrick Klos |
Subject: | Re: [lwip-users] Handle a broadcast storm |
Date: | Thu, 21 Mar 2019 17:18:48 -0400 |
User-agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 |
On 3/21/2019 3:01 PM, address@hidden wrote:
Am 21.03.2019 um 17:44 schrieb address@hidden:It seems they are TCP packets Thanks for your support Michele <http://lwip.100.n7.nabble.com/file/t1187/broadcast.jpg>As always, please send pcaps, not screenshots. Also, describe what we see, e.g. start with telling us which devices have which IP / MAC address etc. Having TCP using broadcast is strange. Having 255.255.255.255 as a source address is even more strange.
Adding to what Simon indicated, yes, those are certainly invalid TCP packets (104 thru 114).
One question is what device is on IP address 172.17.8.175? (and why is it sending out a broadcast TCP SYN packet?)
The next question is what device is responding? (i.e. what device has the MAC address of 00:40:9d:80:44:e3 on your network?) Based on the OUI, it appears to be a board from Digi International. That device appears to have a TCP/IP stack that should never have let the (invalid) broadcast TCP packet(s) get anywhere near the TCP stack. And why is it responding with (at least) 9 TCP RST packets?
Yes, a PCAP file would be a little more useful / interesting. Patrick Klos Klos Technologies, Inc.
[Prev in Thread] | Current Thread | [Next in Thread] |