[cisco-voip] a strange flood of packets from ccm
Wes Sisk
wsisk at cisco.com
Tue May 4 11:33:37 EDT 2004
This look almost like an extraneous RTP stream. We've seen similar issues a
few times now. You can confirm if this is the issue by doing a "stop" and
"start" of the
right click my computer, manage
device manager
view->show hidden devices
Non-Plug and Play Drivers
Cisco IP Voice Media Streaming Driver
right click, properties, "Driver" tab, stop, start.
Then, are you still getting the streams?
One such issue: CSCed02974
Do you have a capture in libpcap format or something I can load into
ethereal?
/Wes
> -----Original Message-----
> From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net]On Behalf Of Leonardo D'Urso
> Sent: Tuesday, May 04, 2004 11:14 AM
> To: cisco-voip at puck.nether.net
> Subject: [cisco-voip] a strange flood of packets from ccm
>
>
>
> hi there,
>
> in december '03, and today we have received a lot of packets by publisher
> and subscriber, directed to all ports of cisco catalist switch. The
> average is 2000 packets per second! It seems like a discovery probe made
> on all ports via cdp. I have verified and no worm or virus is installed on
> machines. Today I had ccm334, os 2.5.sr7, microsoft patches installed
> including ms04-011, and mcafee antivirus up and running. What I have done
> to solve is an upgrade to os version 2.6, but I think that this upgrade is
> not the cure. I think that the reboot has solved, until the next flood.
>
> Please anyone have an idea?
>
> here a sample group of packets.
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402103 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24628 -> 10.89.23.240:18268 UDP TTL:127 TOS:0xB8 ID:56599
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 4B E4 29 6B 5B 60 00 00 06 86 55 55 55 55 ..K.)k[`....UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402112 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24646 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56600
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 AF 9D 0B 09 A7 80 00 00 06 92 55 55 55 55 ............UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402116 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24650 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56601
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 A9 E5 0B 06 12 A0 00 00 06 95 55 55 55 55 ............UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/10-19:18:14.402120 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
> len:0xD6
> 10.89.5.1:24658 -> 10.89.23.240:16422 UDP TTL:127 TOS:0xB8 ID:56602
> IpLen:20
> DgmLen:200
> Len: 172
> 80 08 88 56 0A F1 15 80 00 00 06 9B 55 55 55 55 ...V........UUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU
> 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUU
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> thanks in advance.
> Leonardo
>
>
> --
> Leonardo D'Urso alter.net Srl
> e-mail: durso at alter.it Via Attilio Ambrosini, 177
> VOICE: +39-06-5405740 I-00147 Roma
> FAX: +39-06-5405883 Italy
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
More information about the cisco-voip
mailing list