First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

I see a malformed packet in Wireshark from a Google IP address on port 2400 using R-GOOSE protocol, what could this be?

https://imgur.com/a/ppsfRiw

    Some details below:

    Source Address: 34.76.137.175
    ISO 8602/X.234 CLTP ConnectionLess Transport Protocol
    [Protocols in frame: eth:ethertype:ip:udp:goose:cotp:goose]
    User Datagram Protocol, Src Port: 2400
0internetuser1's avatar
1
0internetuser1
asked 2023-05-06 00:49:52 +0000, updated 2023-05-06 22:07:36 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

This might be a greedy heuristic grabbing a frame that doesn't belong to it.
The disssector looks at a single byte to decide if the protocol is for it.

packet-goose.c:

#define OSI_SPDU_GOOSE    0xA1 /* GOOSE */
...
    /* Is it R-GOOSE? */
    spdu = tvb_get_guint8(tvb, 0);
    if (spdu != OSI_SPDU_GOOSE) {
        return FALSE;
    }


It would help if you could provide a sample capture that contains the full packet and a few before it for context.

Chuckc's avatar
3k
Chuckc
answered 2023-05-06 13:59:28 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Here are 2 screenshots https://imgur.com/a/jUltnsz

0internetuser1's avatar 0internetuser1 (2023-05-06 22:19:23 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer