Mailing List Archive

On Tue, 25 Feb 2014, Gert Doering wrote:

> ff08::2.8083 (UDP, payload length 21)
>
> But that's not what I'm wondering about - I'm more curious about that
> sort of packet - what is that? What is it used for? Which process is
> emitting it, and what is it trying to achieve?

http://www.adminsub.net/tcp-udp-port-finder/8083

Port: 8083/UDP8083/UDP - Known port assignments (3 records found)
ServiceDetailsSourceus-srvUtilistor (Server)IANA EMC2 (Legato)
Networker or Sun Solcitice Backup (Official)WIKI
QuickTime Streaming ServerApple

Does the windows machine run legato networker och similar backup service?

--
Mikael Abrahamsson email: swmike@swm.pp.se

Hi,

On Tue, Feb 25, 2014 at 11:13:31AM +0100, Mikael Abrahamsson wrote:
> On Tue, 25 Feb 2014, Gert Doering wrote:
>
> > ff08::2.8083 (UDP, payload length 21)
> >
> > But that's not what I'm wondering about - I'm more curious about that
> > sort of packet - what is that? What is it used for? Which process is
> > emitting it, and what is it trying to achieve?
>
> http://www.adminsub.net/tcp-udp-port-finder/8083
>
> Port: 8083/UDP8083/UDP - Known port assignments (3 records found)
> ServiceDetailsSourceus-srvUtilistor (Server)IANA EMC2 (Legato)
> Networker or Sun Solcitice Backup (Official)WIKI
> QuickTime Streaming ServerApple

Yeah, that I did google :-) - but it didn't really ring a bell.

> Does the windows machine run legato networker och similar backup service?

Nothing of that sort. It's an internal management system, so "something
with netapp or vcenter" would be possible. Backup is done with DPM,
so it's not that...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi,

On Tue, Feb 25, 2014 at 11:07:34AM +0100, Gert Doering wrote:
> After some troubleshooting around a Juniper SSG cluster today, we found
> that a windows server on the trust side of the SSG cluster is emitting
> UDP packets towards
>
> ff08::2.8083 (UDP, payload length 21)
>
> ff08::2 = "all routers, organization-scoped"

Here's a hexdump of the packet... source IPv6 address mangled, source
MAC is the netscreen NSRP vMAC, dest address is the default router.

11:46:47.456845 00:10:db:ff:20:60 > 00:d0:01:f3:6c:00, ethertype IPv6 (0x86dd),
+length 83: 2001:608:xxx:xx::yyy.62029 > ff08::2.8083: UDP, length 21
0x0000: 6000 0000 001d 117f 2001 0608 0xxx 00xx `...............
0x0010: 0000 0000 0000 0yyy ff08 0000 0000 0000 ................
0x0020: 0000 0000 0000 0002 f24d 1f93 001d 62ef .........M....b.
0x0030: 5245 4c41 5245 4c41 595f 5245 5350 4f4e RELARELAY_RESPON
0x0040: 4452 454c 41 DRELA

still doesn't ring any bell...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On Tue, Feb 25, 2014 at 11:55:48AM +0100, Gert Doering wrote:
> 11:46:47.456845 00:10:db:ff:20:60 > 00:d0:01:f3:6c:00, ethertype IPv6 (0x86dd),
> +length 83: 2001:608:xxx:xx::yyy.62029 > ff08::2.8083: UDP, length 21
> 0x0000: 6000 0000 001d 117f 2001 0608 0xxx 00xx `...............
> 0x0010: 0000 0000 0000 0yyy ff08 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0002 f24d 1f93 001d 62ef .........M....b.
> 0x0030: 5245 4c41 5245 4c41 595f 5245 5350 4f4e RELARELAY_RESPON
> 0x0040: 4452 454c 41 DRELA

McAfee Agent looking for a McAfee Relay Server?

https://community.mcafee.com/thread/56766

https://kc.mcafee.com/corporate/index?page=content&id=KB52569

Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0

I suggest using Microsoft Network Monitor
(http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify
the processing sending out that traffic.

Frank

-----Original Message-----
From: ipv6-ops-bounces+frnkblk=iname.com@lists.cluenet.de
[mailto:ipv6-ops-bounces+frnkblk=iname.com@lists.cluenet.de] On Behalf Of
Gert Doering
Sent: Tuesday, February 25, 2014 4:08 AM
To: ipv6-ops@lists.cluenet.de
Subject: interesting multicast packet

Hi,

my google-fu is failing me, but maybe one of you knows.

After some troubleshooting around a Juniper SSG cluster today, we found
that a windows server on the trust side of the SSG cluster is emitting
UDP packets towards

ff08::2.8083 (UDP, payload length 21)

ff08::2 = "all routers, organization-scoped"

These packets are sent about every 61 minutes, and caused some interesting
issues here as the *passive* SSG leaked them out towards the router, leading
to "the NSRP MAC address showing up on the wrong switch port", causing short
hickups.

But that's not what I'm wondering about - I'm more curious about that
sort of packet - what is that? What is it used for? Which process is
emitting it, and what is it trying to achieve?

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi,

On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote:
> I suggest using Microsoft Network Monitor
> (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify
> the processing sending out that traffic.

We did. It says "unknown"...

But I think Daniel's find is spot-on, as

https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/

shows the string we saw in the packet (click on "static analysis" ->
"strings" -> "RELARELAY_RESPONDRELA"), a "McAffee Framework Service" is
indeed installed and that "seems to be a known side effect" - though
nobody seems to have observed this on IPv6 yet...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi

On 2/27/2014 8:16 AM, Gert Doering wrote:
> Hi,
>
> On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote:
>> I suggest using Microsoft Network Monitor
>> (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify
>> the processing sending out that traffic.
>
> We did. It says "unknown"...
>
> But I think Daniel's find is spot-on, as
>
> https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/
>
> shows the string we saw in the packet (click on "static analysis" ->
> "strings" -> "RELARELAY_RESPONDRELA"), a "McAffee Framework Service" is
> indeed installed and that "seems to be a known side effect" - though
> nobody seems to have observed this on IPv6 yet...

Sorry for this late reply, but it doesn't make much sense that it is
sent to the all routers address.

Stig

> Gert Doering
> -- NetMaster
>

On Thu, Mar 20, 2014 at 03:22:54PM -0700, Stig Venaas wrote:
> Sorry for this late reply, but it doesn't make much sense that it is
> sent to the all routers address.

It's not. There is the well-known ff02::2 "all routers on local segment"
multicast address, but ff08::2 (::2 in the well-known organization-local
scope ff08::/16 range) ain't officially assigned:
http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml#ipv6-multicast-addresses-4

This looks like abuse of the well-known range, using unassigned ::2

Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0

Hi,

On Thu, Mar 20, 2014 at 03:22:54PM -0700, Stig Venaas wrote:
> Sorry for this late reply, but it doesn't make much sense that it is
> sent to the all routers address.

It's an antivirus software. Why do you expect things to make sense?

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

And Stig, if you are using our 'employer-paid' laptop sold by Cupertino,
then, you are also sending those packets... I discovered this 'feat' last
week when sniffing traffic from my own laptop...

The use of organization-scope multicast is nice but the ::2 is indeed
awkward

-éric

On 20/03/14 23:22, "Stig Venaas" <stig@venaas.com> wrote:

>Hi
>
>On 2/27/2014 8:16 AM, Gert Doering wrote:
>> Hi,
>>
>> On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote:
>>> I suggest using Microsoft Network Monitor
>>> (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to
>>>identify
>>> the processing sending out that traffic.
>>
>> We did. It says "unknown"...
>>
>> But I think Daniel's find is spot-on, as
>>
>>
>>https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/
>>
>> shows the string we saw in the packet (click on "static analysis" ->
>> "strings" -> "RELARELAY_RESPONDRELA"), a "McAffee Framework Service" is
>> indeed installed and that "seems to be a known side effect" - though
>> nobody seems to have observed this on IPv6 yet...
>
>Sorry for this late reply, but it doesn't make much sense that it is
>sent to the all routers address.
>
>Stig
>
>> Gert Doering
>> -- NetMaster
>>
>

On 2014-03-21 08:54, Eric Vyncke (evyncke) wrote:
> And Stig, if you are using our 'employer-paid' laptop sold by Cupertino,
> then, you are also sending those packets... I discovered this 'feat' last
> week when sniffing traffic from my own laptop...
>
> The use of organization-scope multicast is nice but the ::2 is indeed
> awkward

This can be the day that you learn to install Little Snitch on the
iFruit device and disable even the standard-local-network-rules ;)

Greets,
Jeroen

I used Little Snitch for a while on my device but too intrusive, let's
rather use pfctl ;-)


On 21/03/14 15:21, "Jeroen Massar" <jeroen@massar.ch> wrote:

>On 2014-03-21 08:54, Eric Vyncke (evyncke) wrote:
>> And Stig, if you are using our 'employer-paid' laptop sold by Cupertino,
>> then, you are also sending those packets... I discovered this 'feat'
>>last
>> week when sniffing traffic from my own laptop...
>>
>> The use of organization-scope multicast is nice but the ::2 is indeed
>> awkward
>
>This can be the day that you learn to install Little Snitch on the
>iFruit device and disable even the standard-local-network-rules ;)
>
>Greets,
> Jeroen
>