Curious Packets

**imported_pynstrom** · 06-26-2008, 03:44 AM

I was connected to my network ap, running tcpdump. From there I set the card in monitor mode with airmon-ng. The tcpdump shell started flying with 802.11 packets. What I found odd was that the data stream appears to be perpetual and neither the source mac or the target mac belong to any computer on my network or any that appear when airodump-ng is run. Before I go any further, I'd like to say I'm not trying to use this data for anything or "crack" anything. I'm trying to understand what these packets are.
Here are a few of the packets:

Code:

03:42:23.771517 XX:XX:XX:XX:XX:XX (oui Unknown) > XX:XX:XX:XX:XX:XX (oui Unknown), ethertype Unknown (0x3000), length 160:
        0x0000:  0000 0000 0000 0000 0000 4410 0000 0000  ..........D.....
        0x0010:  0400 9686 0900 4420 0000 0000 0400 e4fe  ......D.........
        0x0020:  8bc0 4430 0000 0100 0400 0000 0000 4440  ..D0..........D@
        0x0030:  0000 0100 0400 0000 0000 4450 0000 0100  ..........DP....
        0x0040:  0400 0000 0000 4460 0000 0000 0400 2900  ......D`......).
        0x0050:  0000                                     ..
03:42:23.824648 XX:XX:XX:XX:XX:XX (oui Unknown) > XX:XX:XX:XX:XX:XX (oui Unknown), ethertype Unknown (0x3000), length 268:
        0x0000:  0000 0000 0000 0000 0000 4410 0000 0000  ..........D.....
        0x0010:  0400 a386 0900 4420 0000 0000 0400 e4fe  ......D.........
        0x0020:  8bc0 4430 0000 0100 0400 0000 0000 4440  ..D0..........D@
        0x0030:  0000 0100 0400 0000 0000 4450 0000 0100  ..........DP....
        0x0040:  0400 0000 0000 4460 0000 0000 0400 2900  ......D`......).
        0x0050:  0000                                     ..
03:42:23.838651 XX:XX:XX:XX:XX:XX (oui Unknown) > XX:XX:XX:XX:XX:XX (oui Unknown), ethertype Unknown (0x3000), length 1644:
        0x0000:  0000 0000 0000 0000 0000 4410 0000 0000  ..........D.....
        0x0010:  0400 a786 0900 4420 0000 0000 0400 385f  ......D.......8_
        0x0020:  beda 4430 0000 0100 0400 0000 0000 4440  ..D0..........D@
        0x0030:  0000 0100 0400 0000 0000 4450 0000 0100  ..........DP....
        0x0040:  0400 0000 0000 4460 0000 0000 0400 2600  ......D`......&.
        0x0050:  0000                                     ..
03:42:23.852287 XX:XX:XX:XX:XX:XX (oui Unknown) > XX:XX:XX:XX:XX:XX (oui Unknown), ethertype Unknown (0x3000), length 1644:
        0x0000:  0000 0000 0000 0000 0000 4410 0000 0000  ..........D.....
        0x0010:  0400 aa86 0900 4420 0000 0000 0400 e4fe  ......D.........
        0x0020:  8bc0 4430 0000 0100 0400 0000 0000 4440  ..D0..........D@
        0x0030:  0000 0100 0400 0000 0000 4450 0000 0100  ..........DP....
        0x0040:  0400 0000 0000 4460 0000 0000 0400 2b00  ......D`......+.

The colored blocks seem to be some sort of counting mechanism and the rest of the data appears to be static. So I don't see how this data could be usefull. And there's a lot of it. I captured 23,000 packets in about 3 min, It been streaming every time I've checked for the last 36 hours. So my question is, what is this mostly static data that is continuously streaming, but not running through any ap that appears using airodump-ng or kismet?

**xor##** · 06-29-2008, 04:55 PM

In the friendliest terms.

First, did you search?

Because if you search for "oui Unknown" you get quite a lot of info.

Could be a resolv.conf, and or bad arp entry and or or corrupted arp cache issue, ...etc. Without more information on the way your system is configured can't help. Also, if you want help, don't xxxxxx information we can't read your mind, yet.

xor

BackTrack Linux - Penetration Testing Distribution

Thread: Curious Packets

Thread Tools

Search Thread

Display

Curious Packets

Posting Permissions