On Wed, May 10, 2017 at 11:15:45AM -0700, Tom Hayward wrote:
How many of those packets are to known destinations?
From past samples, not many. For example, a previous
sample showed 5400 to known hosts out of 3.6 million captured.
Have you inspected the contents at all to see if there are similarities?
Yes. The majority of the packets are TCP open requests with no data, mostly to ports 23 and 80.
A significant number are UDP to port 53, which could be probes or it could be innocent hosts trying to look up the names of hosts they are receiving IBR packets from.
Part of the difficulty in analyzing these is that tcpdump is SLOW; it can take a very long time to display all the packets in order to do statistical analysis. Also, the capture size is only 40 bytes; we'd have to re-do the capture with a larger capture size in order to get the full packet decode. - Brian