[cisco-voip] a strange flood of packets from ccm

Leonardo D'Urso durso at alter.it
Tue May 4 11:38:23 EDT 2004 

I have just only that packets and all cisco logs if you want I may send it
to you but in ccm format and not in tcpdump or eterx format, today I have
done the rolling upgrade as fast as possible because the callmanager is
up and running and we have 11 branch office and 1 headquarter w/ 600
telephones and fax ecc... and so I have no dumps.

But before the upgrade to os2.6 I have stopped and started the Cisco IP
Voice Media Streaming Driver via microsoft service window, but nothing
changes. So I think it isn't the same case.


--
Leonardo D'Urso              alter.net Srl
e-mail: durso at alter.it       Via Attilio Ambrosini, 177
VOICE: +39-06-5405740        I-00147 Roma
FAX:   +39-06-5405883        Italy

On Tue, 4 May 2004, Wes Sisk wrote:

> This look almost like an extraneous RTP stream.  We've seen similar issues a
> few times now.  You can confirm if this is the issue by doing a "stop" and
> "start" of the
>
> right click my computer, manage
> device manager
> view->show hidden devices
> Non-Plug and Play Drivers
> Cisco IP Voice Media Streaming Driver
> right click, properties, "Driver" tab, stop, start.
>
> Then, are you still getting the streams?
>
> One such issue: CSCed02974
>
> Do you have a capture in libpcap format or something I can load into
> ethereal?
>
> /Wes
>
> > -----Original Message-----
> > From: cisco-voip-bounces at puck.nether.net
> > [mailto:cisco-voip-bounces at puck.nether.net]On Behalf Of Leonardo D'Urso
> > Sent: Tuesday, May 04, 2004 11:14 AM
> > To: cisco-voip at puck.nether.net
> > Subject: [cisco-voip] a strange flood of packets from ccm
> >
> >
> >
> > hi there,
> >
> > in december '03, and today we have received a lot of packets by publisher
> > and subscriber, directed to all ports of cisco catalist switch. The
> > average is 2000 packets per second! It seems like a discovery probe made
> > on all ports via cdp. I have verified and no worm or virus is installed on
> > machines. Today I had ccm334, os 2.5.sr7, microsoft patches installed
> > including ms04-011, and mcafee antivirus up and running. What I have done
> > to solve is an upgrade to os version 2.6, but I think that this upgrade is
> > not the cure.  I think that the reboot has solved, until the next flood.
> >
> > Please anyone have an idea?
> >
> > here a sample group of packets.
> >
> >
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 12/10-19:18:14.402103 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> > len:0xD6
> > 10.89.5.1:24628 -> 10.89.23.240:18268 UDP TTL:127 TOS:0xB8 ID:56599
> > IpLen:20
> > DgmLen:200
> > Len: 172
> > 80 08 4B E4 29 6B 5B 60 00 00 06 86 55 55 55 55  ..K.)k[`....UUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
> >
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 12/10-19:18:14.402112 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> > len:0xD6
> > 10.89.5.1:24646 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56600
> > IpLen:20
> > DgmLen:200
> > Len: 172
> > 80 08 AF 9D 0B 09 A7 80 00 00 06 92 55 55 55 55  ............UUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
> >
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 12/10-19:18:14.402116 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> > len:0xD6
> > 10.89.5.1:24650 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56601
> > IpLen:20
> > DgmLen:200
> > Len: 172
> > 80 08 A9 E5 0B 06 12 A0 00 00 06 95 55 55 55 55  ............UUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
> >
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 12/10-19:18:14.402120 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> > len:0xD6
> > 10.89.5.1:24658 -> 10.89.23.240:16422 UDP TTL:127 TOS:0xB8 ID:56602
> > IpLen:20
> > DgmLen:200
> > Len: 172
> > 80 08 88 56 0A F1 15 80 00 00 06 9B 55 55 55 55  ...V........UUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
> > 55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU
> >
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > thanks in advance.
> > Leonardo
> >
> >
> > --
> > Leonardo D'Urso              alter.net Srl
> > e-mail: durso at alter.it       Via Attilio Ambrosini, 177
> > VOICE: +39-06-5405740        I-00147 Roma
> > FAX:   +39-06-5405883        Italy
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
>

More information about the cisco-voip mailing list