[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] Handle a broadcast storm

From: Patrick Klos
Subject: Re: [lwip-users] Handle a broadcast storm
Date: Thu, 21 Mar 2019 17:18:48 -0400
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3

On 3/21/2019 3:01 PM, address@hidden wrote:
Am 21.03.2019 um 17:44 schrieb address@hidden:
It seems they are TCP packets

Thanks for your support


As always, please send pcaps, not screenshots.

Also, describe what we see, e.g. start with telling us which devices
have which IP / MAC address etc.

Having TCP using broadcast is strange. Having as a
source address is even more strange.

Adding to what Simon indicated, yes, those are certainly invalid TCP packets (104 thru 114).

One question is what device is on IP address (and why is it sending out a broadcast TCP SYN packet?)

The next question is what device is responding? (i.e. what device has the MAC address of 00:40:9d:80:44:e3 on your network?)  Based on the OUI, it appears to be a board from Digi International.  That device appears to have a TCP/IP stack that should never have let the (invalid) broadcast TCP packet(s) get anywhere near the TCP stack. And why is it responding with (at least) 9 TCP RST packets?

Yes, a PCAP file would be a little more useful / interesting.

Patrick Klos
Klos Technologies, Inc.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]