From: P729 (p729@cox.net)
Date: Sat Jul 12 2003 - 02:43:13 GMT-3
Interesting. I thought RIP did an IP subnet broadcast with a layer-2
broadcast (all 1's). All multicast MAC addresses begin with 01005e with the
remainder mapped from the IP address, so it looks like the PIX is indeed
doing an IP subnet broadcast, but with the MAC set to a multicast address.
Okay...
Regards,
Mas Kato
https://ecardfile.com/id/mkato
----- Original Message -----
From: "Volkov, Dmitry (IDS Canada)" <dmitry_volkov@ca.ml.com>
To: <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Friday, July 11, 2003 10:03 PM
Subject: PIX sending strange v1 RIP
PIX 515 v.6.2(1):
rip inside passive version 1
rip inside default version 1
Did somebody see RIP v1 with Destination MAC 01005E7FFFFF ????
Bug ?
- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - -
- - - - - -
Frame Status Source Destination
Bytes Rel Time
Delta Time Abs time Summary
----------------------------------------------------------------------------
----------------------------------------------------------------------------
-------------
1 M [170.70.50.17] [255.255.255.255]
66 0:00:00.000
0.000.000 07/12/2003 12:26:35 AM RIP: R Routing entries=1
DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 23:26:35.2835; frame size is 66 (0042 hex)
bytes.
DLC: Destination = Multicast 01005E7FFFFF
DLC: Source = Station Cisco 8FCA5D
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE
bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 52 bytes
IP: Identification = 9352
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = BAD9 (correct)
IP: Source address = [170.70.50.17]
IP: Destination address = [255.255.255.255]
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 520 (Route)
UDP: Destination port = 520 (Route)
UDP: Length = 32
UDP: Checksum = 1D43 (correct)
UDP: [24 byte(s) of data]
UDP:
RIP: ----- RIP Header -----
RIP:
RIP: Command = 2 (Response)
RIP: Version = 1
RIP: Unused = 0
RIP:
RIP: Routing data frame 1
RIP: Address family identifier = 2 (IP)
RIP: IP Address = [0.0.0.0] (Default route)
RIP: Metric = 1
RIP:
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:37 GMT-3