Weird STP ethernet packet ?

[yoengchen]

  Hi, I am new to network security issues, and my small office network experiencing weird ethernet transmission, the network is connected with the internet via switches using ADSL line, when I use ethereal (great utility from www.ethereal.com) to capture the packets, it showed that every 2 second, a network device with mac address 00:c0:a8:86:5f:0f produced by GVC Corporation sent STP data transmission (Spanning Tree for Bridges). Here is the captured packets:

No.     Time        Source                Destination           Protocol Info
     12 0.491887    Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003
     43 2.505874    Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003
     74 4.504940    Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003
    105 6.507658    Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003
    136 8.435222    Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003
    167 10.439153   Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003
    198 12.529418   Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003
    229 14.541859   Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003

and in every interval between two frames (2++ seconds interval), there were packets of unknown ethernet protocol (0xFFE2).

No.     Time        Source                Destination           Protocol Info
      1 0.000000    C-Com_02:01:a4        C-Com_05:00:9a        0xffe2   Ethernet II
      2 0.026501    C-Com_02:01:a4        C-Com_05:00:9a        0xffe2   Ethernet II
      3 0.130831    C-Com_02:03:b5        C-Com_05:00:9a        0xffe2   Ethernet II
      4 0.152233    C-Com_02:03:b5        C-Com_05:00:9a        0xffe2   Ethernet II
      5 0.226649    C-Com_02:03:b5        C-Com_05:00:9a        0xffe2   Ethernet II
      6 0.322955    C-Com_02:01:95        C-Com_05:00:9a        0xffe2   Ethernet II
      7 0.350921    C-Com_02:01:95        C-Com_05:00:9a        0xffe2   Ethernet II
      8 0.377430    C-Com_02:01:95        C-Com_05:00:9a        0xffe2   Ethernet II
      9 0.521892    C-Com_02:01:b8        C-Com_05:00:9a        0xffe2   Ethernet II
     10 0.543282    C-Com_02:01:b8        C-Com_05:00:9a        0xffe2   Ethernet II
     11 0.569788    C-Com_02:01:b8        C-Com_05:00:9a        0xffe2   Ethernet II
     12 0.610892    C-Com_02:01:66        C-Com_05:00:9a        0xffe2   Ethernet II
     13 0.632290    C-Com_02:01:66        C-Com_05:00:9a        0xffe2   Ethernet II

Please someone give me a light on this issue. Thank you very much.

[MoleRat]

Spanning Tree Protocol (802.1d and 802.1w) is used by switches to prevent routing loops on networks with more than one path between segments.  What you are seeing is a switch sending out its current STP knowledge to other switches that are running STP.  The protocol determines which of the various switches on a network will disable their ports in order to prevent routing loops.  The default STP "ping" rate is every two seconds.

As for your second set of captures, please post a complete packet capture (including the ethernet frame headers) from one or two of the packets.  The OxFFE2 is not a registered Ethernet "type."  Maybe by looking at the contents we can figure out what it is?


-MoleRat

[Uneek]

Just a small correction though... STP is used to prevent SWITCHING loops... not ROUTING loops... that would be Split Horizon for routing loops... and the ports are not disabled, they are put in either forwarding or blocking state, but the interfaces are still up...

[yoengchen]

  Hi, MoleRat, Uneek, thanks for your replies, the unknown packets were sent repeatedly using 3 kinds of length, 596 bytes, 724 byte, and 1172 bytes, these packets came from 6 devices to 1 devices simultaneously, within 1 minutes almost 1 MB were captured. Here's the sample packets. Is it some kind of attack?

No.     Time        Source                Destination           Protocol Info
    467 30.509368   C-Com_02:03:b5        C-Com_05:00:9a        0xffe2   Ethernet II

Frame 467 (596 bytes on wire, 596 bytes captured)
    Arrival Time: Feb 17, 2005 06:45:29.407635000
    Time delta from previous packet: 0.021643000 seconds
    Time since reference or first frame: 30.509368000 seconds
    Frame Number: 467
    Packet Length: 596 bytes
    Capture Length: 596 bytes
Ethernet II, Src: 00:01:eb:02:03:b5, Dst: 00:01:eb:05:00:9a
    Destination: 00:01:eb:05:00:9a (C-Com_05:00:9a)
    Source: 00:01:eb:02:03:b5 (C-Com_02:03:b5)
    Type: Unknown (0xffe2)
Data (582 bytes)

0000  00 01 eb 05 00 9a 00 01 eb 02 03 b5 ff e2 44 02   ..............D.
0010  00 00 06 10 c4 00 01 00 52 ac 36 04 52 ac 36 04   ........R.6.R.6.
0020  00 00 00 00 91 00 00 00 52 ac 36 04 52 ac 36 04   ........R.6.R.6.
0030  01 00 00 00 00 00 00 00 c6 00 02 00 0f c0 27 02   ..............'.
0040  0f c0 27 02 00 00 00 00 93 0a 00 00 0f c0 27 02   ..'...........'.
0050  0f c0 27 02 04 00 00 00 04 00 00 00 00 00 03 00   ..'.............
0060  0e cc 36 04 0e cc 36 04 00 00 00 00 02 00 00 00   ..6...6.........
0070  0e cc 36 04 0e cc 36 04 00 00 00 00 00 00 00 00   ..6...6.........
0080  63 ed 04 00 81 09 08 01 81 09 08 01 00 00 00 00   c...............
0090  19 26 00 00 81 09 08 01 81 09 08 01 12 00 00 00   .&..............
00a0  1c 00 00 00 00 00 05 00 35 23 25 00 35 23 25 00   ........5#%.5#%.
00b0  00 00 00 00 ce 0a 00 00 35 23 25 00 35 23 25 00   ........5#%.5#%.
00c0  03 00 00 00 05 00 00 00 3d 00 06 00 4d ce b9 00   ........=...M...
00d0  4d ce b9 00 00 00 00 00 0f 05 00 00 4d ce b9 00   M...........M...
00e0  4d ce b9 00 04 00 00 00 02 00 00 00 00 00 07 00   M...............
00f0  a4 1f f5 02 a4 1f f5 02 00 00 00 00 21 14 00 00   ............!...
0100  a4 1f f5 02 a4 1f f5 02 06 00 00 00 08 00 00 00   ................
0110  70 cf 08 00 e3 26 55 00 67 07 55 00 4c 4f 00 00   p....&U.g.U.LO..
0120  79 08 00 00 67 07 55 00 e3 26 55 00 06 00 00 00   y...g.U..&U.....
0130  07 00 00 00 00 00 09 00 5f 9a 02 00 5f 9a 02 00   ........_..._...
0140  00 00 00 00 8b 01 00 00 5f 9a 02 00 5f 9a 02 00   ........_..._...
0150  01 00 00 00 0f 02 00 00 9f a7 0a 00 27 58 27 01   ............'X'.
0160  27 58 27 01 00 00 00 00 7c 0e 00 00 27 58 27 01   'X'.....|...'X'.
0170  27 58 27 01 09 00 00 00 bb 00 00 00 0e 00 0b 00   'X'.............
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  de 23 0c 00 d4 d6 5c 00 d4 d6 5c 00 00 00 00 00   .#....\...\.....
01b0  6b 01 00 00 d4 d6 5c 00 d4 d6 5c 00 00 00 00 00   k.....\...\.....
01c0  00 00 00 00 00 00 0d 00 00 00 00 00 00 00 00 00   ................
01d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01e0  00 00 00 00 00 00 00 00 d6 72 0e 00 9a 7b 9c 00   .........r...{..
01f0  9a 7b 9c 00 00 00 00 00 ce 0c 00 00 9a 7b 9c 00   .{...........{..
0200  9a 7b 9c 00 0a 00 00 00 05 00 00 00 6b 22 0f 00   .{..........k"..
0210  9a f9 7c 00 9a f9 7c 00 00 00 00 00 90 00 00 00   ..|...|.........
0220  9a f9 7c 00 9a f9 7c 00 00 00 00 00 00 00 00 00   ..|...|.........
0230  f3 d7 10 00 cc b4 48 00 cc b4 48 00 00 00 00 00   ......H...H.....
0240  e9 11 00 00 cc b4 48 00 cc b4 48 00 06 00 00 00   ......H...H.....
0250  0c 00 00 00                                       ....

No.     Time        Source                Destination           Protocol Info
    468 30.535633   C-Com_02:03:b5        C-Com_05:00:9a        0xffe2   Ethernet II

Frame 468 (724 bytes on wire, 724 bytes captured)
    Arrival Time: Feb 17, 2005 06:45:29.433900000
    Time delta from previous packet: 0.026265000 seconds
    Time since reference or first frame: 30.535633000 seconds
    Frame Number: 468
    Packet Length: 724 bytes
    Capture Length: 724 bytes
Ethernet II, Src: 00:01:eb:02:03:b5, Dst: 00:01:eb:05:00:9a
    Destination: 00:01:eb:05:00:9a (C-Com_05:00:9a)
    Source: 00:01:eb:02:03:b5 (C-Com_02:03:b5)
    Type: Unknown (0xffe2)
Data (710 bytes)

0000  00 01 eb 05 00 9a 00 01 eb 02 03 b5 ff e2 c4 02   ................
0010  00 00 06 10 c5 00 01 00 04 00 00 00 01 00 00 00   ................
0020  00 00 00 00 c4 2c 5b 00 05 0a a9 00 00 00 00 00   .....,[.........
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0040  0f c0 02 00 4e 00 00 00 08 00 00 00 00 00 00 00   ....N...........
0050  8a f5 b8 00 c4 20 18 01 00 00 00 00 00 00 00 00   ..... ..........
0060  3b c7 36 04 00 00 00 00 00 00 00 00 02 00 03 00   ;.6.............
0070  00 00 00 00 00 00 00 00 00 00 00 00 0c a7 4f 00   ..............O.
0080  6a 4b 2a 01 00 00 00 00 00 00 00 00 00 00 00 00   jK*.............
0090  00 00 00 00 00 00 00 00 81 09 04 00 be 00 00 00   ................
00a0  15 00 00 00 00 00 00 00 6d 4f 19 00 9a 76 30 00   ........mO...v0.
00b0  00 00 00 00 00 00 00 00 35 23 25 00 00 00 00 00   ........5#%.....
00c0  00 00 00 00 05 00 05 00 35 00 00 00 06 00 00 00   ........5.......
00d0  00 00 00 00 30 a4 08 00 60 00 30 00 00 00 00 00   ....0...`.0.....
00e0  00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  d1 1a 06 00 10 00 00 00 01 00 00 00 00 00 00 00   ................
0100  06 8b 0d 00 84 40 2b 00 00 00 00 00 00 00 00 00   .....@+.........
0110  5b cf 08 00 00 00 00 00 00 00 00 00 4c 4f 07 00   [...........LO..
0120  64 00 00 00 07 00 00 00 00 00 00 00 e0 ac 4d 04   d.............M.
0130  10 d3 5e 04 00 00 00 00 00 00 00 00 5f 9a 02 00   ..^........._...
0140  00 00 00 00 00 00 00 00 5f 9a 08 00 57 00 00 00   ........_...W...
0150  04 00 00 00 00 00 00 00 fa 82 00 00 13 c1 01 00   ................
0160  00 00 00 00 00 00 00 00 7c 0e 00 00 00 00 00 00   ........|.......
0170  00 00 00 00 09 00 09 00 21 00 00 00 0e 00 00 00   ........!.......
0180  00 00 00 00 55 13 01 00 92 83 02 00 00 00 00 00   ....U...........
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  de 23 0a 00 65 00 00 00 06 00 00 00 00 00 00 00   .#..e...........
01b0  3c 28 0e 00 3d 60 18 00 00 00 00 00 00 00 00 00   <(..=`..........
01c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00   ................
01d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01e0  00 00 00 00 00 00 00 00 00 00 00 00 9a 7b 9c 00   .............{..
01f0  00 00 00 00 00 00 00 00 ce 0c 0c 00 06 00 00 00   ................
0200  00 00 00 00 00 00 00 00 20 35 00 00 6b 22 01 00   ........ 5..k"..
0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0220  00 00 00 00 9a f9 0d 00 00 00 00 00 00 00 00 00   ................
0230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0240  00 00 00 00 cc b4 48 00 00 00 00 00 00 00 00 00   ......H.........
0250  0c 00 0e 00 46 00 00 00 07 00 00 00 00 00 00 00   ....F...........
0260  4c de 0a 00 f0 5b a0 00 00 00 00 00 00 00 00 00   L....[..........
0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00   ................
0280  03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0290  0d d3 00 00 00 00 00 00 00 00 00 00 00 00 0a 00   ................
02a0  00 00 00 00 00 00 00 00 18 00 10 00 5b 00 00 00   ............[...
02b0  09 00 00 00 00 00 00 00 dd f9 13 00 e7 54 c8 00   .............T..
02c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
02d0  00 00 00 00                                       ....

[yoengchen]

And this is detail packet of the STP transmission:

No.     Time        Source                Destination           Protocol Info
     74 4.504940    Gvc_86:5f:0f          Spanning-tree-(for-bridges)_00 STP      Conf. Root = 0/00:80:00:00:80:2d  Cost = -1610358528  Port = 0xa003

Frame 74 (74 bytes on wire, 74 bytes captured)
    Arrival Time: Feb 19, 2005 03:44:28.309052000
    Time delta from previous packet: 0.008260000 seconds
    Time since reference or first frame: 4.504940000 seconds
    Frame Number: 74
    Packet Length: 74 bytes
    Capture Length: 74 bytes
IEEE 802.3 Ethernet
    Destination: 01:80:c2:00:00:00 (Spanning-tree-(for-bridges)_00)
    Source: 00:c0:a8:86:5f:0f (Gvc_86:5f:0f)
    Length: 74
Logical-Link Control
    DSAP: Spanning Tree BPDU (0x42)
    IG Bit: Individual
    SSAP: Spanning Tree BPDU (0x42)
    CR Bit: Command
    Control field: U, func=UI (0x03)
        000. 00.. = Command: Unnumbered Information (0x00)
        .... ..11 = Frame type: Unnumbered frame (0x03)
Spanning Tree Protocol
    Protocol Identifier: Unknown (0x4242)
    Protocol Version Identifier: Multiple Spanning Tree (3)
    BPDU Type: Configuration (0x00)
    BPDU flags: 0x00
        0... .... = Topology Change Acknowledgment: No
        .... ...0 = Topology Change: No
    Root Identifier: 0 / 00:80:00:00:80:2d
    Root Path Cost: 2684608768
    Bridge Identifier: 0 / 00:80:00:00:80:2d
    Port identifier: 0xa003
    Message Age: 225.5
    Max Age: 7
    Hello Time: 0.078125
    Forward Delay: 0.0078125

0000  01 80 c2 00 00 00 00 c0 a8 86 5f 0f 00 4a 42 42   .........._..JBB
0010  03 42 42 03 00 00 00 00 00 80 00 00 80 2d a0 03   .BB..........-..
0020  e1 00 00 00 00 80 00 00 80 2d a0 03 e1 80 07 00   .........-......
0030  00 14 00 02 00 0f 00 aa aa aa aa aa aa aa aa 00   ................
0040  00 00 00 00 00 00 00 00 00 00                     ..........

[Uneek]

Looks like standard STP traffic to me unless I'm missing something...

[wilnix]

Yeah, give up on this as an 'issue.' This is just STP traffic that isnt actually DOING anything since you arent part of a loop....


Wilnix

This is so dated, but I am awake, doing laundry, and I DONT CARE!!!