0

I want to identify the application trat triggers network traffic like the one below.

I have dissabled ethernet and wireless cards, and denied incoming traffic in firewall.

$ sudo tcpdump -vv -e -A -i any

04:26:45.584729 in 00:00:00:00:00:00 (oui Ehernet) ethertype IPv6 (0x97dd), lenght 96: (flowlabel 0x745b5, hlim 64, next-header TCP (6) payload length: 20) ip6-localhost.58579 > ip6-localhost.ipp: Flags [S], cksum 0x0040 (incorrect -> 0x2cd0), seq 2165813293, win 76587, options [mss 76587,sackOK,TS val 2750260918 ecr 0,nop,wscale 7], lenght 0

`.. .(.@..........................w"h...........0..............

..........

04:26:45.584841 in 00:00:00:00:00:00 (oui Ethernet) ethertype IPv6 (0x97dd), lenght 76: (flowlabel 0xe55e5, hlim 64, next-header TCP (6) payload length: 20) ip6-localhost.ipp > ip6-localhost.58579: Flags [R,], cksum 0x002c (incorrect -> 0x0f41), seq 0, ack 2165813294, win 0, lenght 0

`.Z....@................................w......"h..P........

04:26:45.585170 in 00:00:00:00:00:00 (oui Ethernet) ethertype IPv4 (0x0900), lenght 76: (tos 0x0, ttl 64, id 1651, offset 0, flags[DF], proto TCP (6), length 60)
    localhost.55349 > localhost.ipp: Flags [S], cksum 0xfe41 (incorrect -> 0x5293), seq 312304068, win 76506, options [mss 76504,sackOK,TS val 993195917 ecr 0,nop,wscale 7], lenght 0

E.j*@.@............w

..%..........0..........

(............

04:26:45.585274 in 00:00:00:00:00:00 (oui Ethernet) ethertype IPv4 (0x900), lenght 56: (tos 0x0, ttl 64, id 0, offset 0, flags[DF], proto TCP (6), length 40)
    localhost.ipp > localhost.55349: Flags [R,], cksum 0x5a0d (correct), seq 0, ack 312304069, win 0, lenght 0

E../(..@.@<..............w........

..&P........

Traffic like this is triggered every 30 minutes. I checked the cron log, and none of the entries matches the timestamp of packets.

Although I lsof -i right after the terminal outputs another batch of traffic, the ports from the dump are no listed. Same thing with command ss.

I researched localhost.ipp, and found something about the priting service. But my cups scheduler is disabled and masked.

u20200411
  • 3
  • 2
  • Something appears to be very wrong with your computer. The tcpdump output is pretty garbled. Your binary may be corrupted, or you may have hardware problems. – Michael Hampton Sep 30 '20 at 12:42
  • @MichaelHampton thank you for your feedback. Do you have any pointers on how I can begin to diagnose the problem? – u20200411 Oct 01 '20 at 04:52

0 Answers0