Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Strange packet: "daylight rekick", anyone?

Published: 2010-09-28
Last Updated: 2010-09-28 22:56:11 UTC
by Daniel Wesemann (Version: 1)
9 comment(s)

ISC reader Keith reports a "strange packet" on his network. He gets the following alert

9/28/2010 2:09 PM : C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET 272: Sep 28 19:09:41: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 5 times)Packet received with invalid source MAC address (45:42:55:47:3D:57) on port Po1 in vlan 24

and the following packet to go with it:

0000 3d 3d 4b 56 3d 44 45 42 55 47 3d 57 26 4c 3d 3d
0010 64 61 79 6c 69 67 68 74 20 72 65 6b 69 63 6b 21
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030 00 00 00 00 00 00 00 00 00 00 00 00

No surprise really that this packet is "illegal". When parsed into plain ASCII, it reads

==KV=DEBUG=W&L==
daylight rekick!

Has anyone seen this before and might know what sort of device could be burping out these non-IP packets directly onto the VLAN?

Keywords: packet
9 comment(s)
Diary Archives