Well, those UDP captures appear to be BitTorrent Peer-to-Peer file sharing traffic, or something disguised as such. Note the "64 31 3a 61 64 32 3a 69 64 32 30 3a" and also the textual reference to info_hash
On Fri, Mar 12, 2010 at 12:18 AM, Joe <jbfixu...@gmail.com> wrote: > > Not to distract from the IPV4/IPV6 thread, but just wondering if anyone has > seen this beavior or perhaps can enlighten me to its orgin/virus/meaning? > > Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52 > (192.168.1.52) > User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993) > Data (101 bytes) > > 0000 64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3 d1:ad2:id20:I.x. > 0010 9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30 .?.#u~.5.......0 > 0020 39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61 9:info_hash20:.a > 0030 e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72 .....j.2.B.s.A.r > 0040 c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72 ..e1:q9:get_peer > 0050 73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a s1:t8:100042551: > 0060 79 31 3a 71 65 y1:qe > > > Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52 > (192.168.1.52) > User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993) > Data (101 bytes) > > 0000 64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3 d1:ad2:id20:I.x. > 0010 9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30 .?.#u~.5.......0 > 0020 39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61 9:info_hash20:.a > 0030 e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72 .....j.2.B.s.A.r > 0040 c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72 ..e1:q9:get_peer > 0050 73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a s1:t8:100042551: > 0060 79 31 3a 71 65 y1:qe > > I'm seeing thousands of these per minute at one location, hundreds of unique > ip addresses. Some sort of bot net maybe? > > > Thanks much > > Joe > > > -- -J
