interesting multicast packet

Gert Doering gert at space.net
Thu Feb 27 17:16:10 CET 2014


Hi,

On Wed, Feb 26, 2014 at 10:57:07PM -0600, Frank Bulk wrote:
> I suggest using Microsoft Network Monitor
> (http://www.microsoft.com/en-us/download/details.aspx?id=4865) to identify
> the processing sending out that traffic.

We did.  It says "unknown"...

But I think Daniel's find is spot-on, as 

 https://malwr.com/analysis/ZDg2MzhjNmJhOGIxNGNiM2I2NmRkMTMzODBkZjllYmY/

shows the string we saw in the packet (click on "static analysis" ->
"strings" -> "RELARELAY_RESPONDRELA"), a "McAffee Framework Service" is 
indeed installed and that "seems to be a known side effect" - though
nobody seems to have observed this on IPv6 yet...

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20140227/f3be3182/attachment.bin 


More information about the ipv6-ops mailing list