[cisco-voip] a strange flood of packets from ccm

Ryan Ratliff rratliff at cisco.com
Tue May 4 11:30:48 EDT 2004 

Are you sure that's not just moh?  Those packets don't appear to be layer 2
or 3 broadcasts.   Do you have a sniffer trace you could zip and send?

-Ryan
----- Original Message ----- 
From: "Leonardo D'Urso" <durso at alter.it>
To: <cisco-voip at puck.nether.net>
Sent: Tuesday, May 04, 2004 10:14 AM
Subject: [cisco-voip] a strange flood of packets from ccm


>
> hi there,
>
> in december '03, and today we have received a lot of packets by publisher
> and subscriber, directed to all ports of cisco catalist switch. The
> average is 2000 packets per second! It seems like a discovery probe made
> on all ports via cdp. I have verified and no worm or virus is installed on
> machines. Today I had ccm334, os 2.5.sr7, microsoft patches installed
> including ms04-011, and mcafee antivirus up and running. What I have done
> to solve is an upgrade to os version 2.6, but I think that this upgrade is
> not the cure.  I think that the reboot has solved, until the next flood.
>
> Please anyone have an idea?
>
> here a sample group of packets.
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402103 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24628 -> 10.89.23.240:18268 UDP TTL:127 TOS:0xB8 ID:56599
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 4B E4 29 6B 5B 60 00 00 06 86 55 55 55 55  ..K.)k[`....UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402112 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24646 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56600
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 AF 9D 0B 09 A7 80 00 00 06 92 55 55 55 55  ............UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402116 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24650 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56601
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 A9 E5 0B 06 12 A0 00 00 06 95 55 55 55 55  ............UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402120 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24658 -> 10.89.23.240:16422 UDP TTL:127 TOS:0xB8 ID:56602
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 88 56 0A F1 15 80 00 00 06 9B 55 55 55 55  ...V........UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> thanks in advance.
> Leonardo
>
>
> --
> Leonardo D'Urso              alter.net Srl
> e-mail: durso at alter.it       Via Attilio Ambrosini, 177
> VOICE: +39-06-5405740        I-00147 Roma
> FAX:   +39-06-5405883        Italy
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list