I agree, this looks to be bit torrent traffic, The Pirate Bay has a practice of injecting fake client IP address. I have a feeling that is what your seeing. I would write more but power is out and the battery is going.... James Hess wrote:
Well, those UDP captures appear to be BitTorrent Peer-to-Peer file sharing traffic, or something disguised as such. Note the "64 31 3a 61 64 32 3a 69 64 32 30 3a" and also the textual reference to info_hash
On Fri, Mar 12, 2010 at 12:18 AM, Joe <jbfixurpc@gmail.com> wrote:
Not to distract from the IPV4/IPV6 thread, but just wondering if anyone has seen this beavior or perhaps can enlighten me to its orgin/virus/meaning?
Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52 (192.168.1.52) User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993) Data (101 bytes)
0000 64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3 d1:ad2:id20:I.x. 0010 9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30 .?.#u~.5.......0 0020 39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61 9:info_hash20:.a 0030 e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72 .....j.2.B.s.A.r 0040 c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72 ..e1:q9:get_peer 0050 73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a s1:t8:100042551: 0060 79 31 3a 71 65 y1:qe
Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52 (192.168.1.52) User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993) Data (101 bytes)
0000 64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3 d1:ad2:id20:I.x. 0010 9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf 84 30 .?.#u~.5.......0 0020 39 3a 69 6e 66 6f 5f 68 61 73 68 32 30 3a 09 61 9:info_hash20:.a 0030 e1 d8 9d cf ab 6a 2e 32 e8 42 92 73 b3 41 a3 72 .....j.2.B.s.A.r 0040 c7 f1 65 31 3a 71 39 3a 67 65 74 5f 70 65 65 72 ..e1:q9:get_peer 0050 73 31 3a 74 38 3a 31 30 30 30 34 32 35 35 31 3a s1:t8:100042551: 0060 79 31 3a 71 65 y1:qe
I'm seeing thousands of these per minute at one location, hundreds of unique ip addresses. Some sort of bot net maybe?
Thanks much
Joe
------------------------------------------------------------------------
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.733 / Virus Database: 271.1.1/2739 - Release Date: 03/11/10 16:50:00