While sniffing the sixxs interface I found that something on the router was accessing strange addresses via IPv6
By stopping applications I found/suspect it is Inadyn that is sourcing these packages.
A lookup show that the following sites are accessed:
wg-in-x8b.1e100.net
wg-in-x71.1e100.net
wg-in-x64.1e100.net
They probably show up at the IPv6 gateway because IPv6 is probably more prevered than IPv4 on the FritsBox.
The far-end port is always http (80), but the near-end port (my router) is constantly changing, often using pairs of consecutive port numbers.
The near-end port are mostly already IANA assigned port numbers for other applications.
Some of the ports seen used by my router, but this seems to be randomly selected:
The TCP packages are small, 72 or 80 bytes.
Is this expected?
By stopping applications I found/suspect it is Inadyn that is sourcing these packages.
A lookup show that the following sites are accessed:
wg-in-x8b.1e100.net
wg-in-x71.1e100.net
wg-in-x64.1e100.net
They probably show up at the IPv6 gateway because IPv6 is probably more prevered than IPv4 on the FritsBox.
The far-end port is always http (80), but the near-end port (my router) is constantly changing, often using pairs of consecutive port numbers.
The near-end port are mostly already IANA assigned port numbers for other applications.
Code:
No. Time Source Destination Protocol Info
7 2012-10-11 21:43:17.155080 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP di-traceware > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7915592 TSER=0 WS=3
8 2012-10-11 21:43:17.192010 2a00:1450:400c:c00::8b 2001:a:b:c::2 TCP http > di-traceware [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=3504431525 TSER=7915592 WS=6
9 2012-10-11 21:43:17.192243 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP di-traceware > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915596 TSER=3504431525
10 2012-10-11 21:43:18.106776 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP di-traceware > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915688 TSER=3504431525
11 2012-10-11 21:43:19.791816 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP journee > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7915856 TSER=0 WS=3
12 2012-10-11 21:43:19.828158 2a00:1450:400c:c00::8b 2001:a:b:c::2 TCP http > journee [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1258291254 TSER=7915856 WS=6
13 2012-10-11 21:43:19.828365 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP journee > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915860 TSER=1258291254
14 2012-10-11 21:43:20.807036 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP journee > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915958 TSER=1258291254
23 2012-10-11 21:47:10.687200 2001:a:b:c::2 2a00:1450:400c:c00::71 TCP 4576 > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7938945 TSER=0 WS=3
24 2012-10-11 21:47:10.723161 2a00:1450:400c:c00::71 2001:a:b:c::2 TCP http > 4576 [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=4213432269 TSER=7938945 WS=6
25 2012-10-11 21:47:10.723367 2001:a:b:c::2 2a00:1450:400c:c00::71 TCP 4576 > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7938949 TSER=4213432269
26 2012-10-11 21:47:11.679832 2001:a:b:c::2 2a00:1450:400c:c00::71 TCP 4576 > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7939045 TSER=4213432269
39 2012-10-11 21:53:26.973629 2001:a:b:c::2 2a00:1450:400c:c00::64 TCP tsp > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7976573 TSER=0 WS=3
40 2012-10-11 21:53:27.010125 2a00:1450:400c:c00::64 2001:a:b:c::2 TCP http > tsp [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1285647236 TSER=7976573 WS=6
41 2012-10-11 21:53:27.010332 2001:a:b:c::2 2a00:1450:400c:c00::64 TCP tsp > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976577 TSER=1285647236
42 2012-10-11 21:53:27.924804 2001:a:b:c::2 2a00:1450:400c:c00::64 TCP tsp > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976669 TSER=1285647236
43 2012-10-11 21:53:29.512238 2001:a:b:c::2 2a00:1450:400c:c00::64 TCP vaprtm > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7976827 TSER=0 WS=3
44 2012-10-11 21:53:29.548810 2a00:1450:400c:c00::64 2001:a:b:c::2 TCP http > vaprtm [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1272973116 TSER=7976827 WS=6
45 2012-10-11 21:53:29.549018 2001:a:b:c::2 2a00:1450:400c:c00::64 TCP vaprtm > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976831 TSER=1272973116
46 2012-10-11 21:53:30.564834 2001:a:b:c::2 2a00:1450:400c:c00::64 TCP vaprtm > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976933 TSER=1272973116
57 2012-10-11 21:57:37.524683 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP calltrax > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=8001628 TSER=0 WS=3
58 2012-10-11 21:57:37.560959 2a00:1450:400c:c00::8b 2001:a:b:c::2 TCP http > calltrax [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1248690085 TSER=8001628 WS=6
59 2012-10-11 21:57:37.561170 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP calltrax > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=8001632 TSER=1248690085
60 2012-10-11 21:57:38.478161 2001:a:b:c::2 2a00:1450:400c:c00::8b TCP calltrax > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=8001724 TSER=1248690085
Some of the ports seen used by my router, but this seems to be randomly selected:
Code:
2a00:1450:400c:c00::8b near-end ports used:
3041 and 3042
3675
4091
2a00:1450:400c:c00::71 near-end ports used:
4576
2530 and 2531
2a00:1450:400c:c00::64 near-end ports used:
3653 and 3654
2a00:1450:400c:c00::66 near-end ports used:
4990
3252
3970 and 3971
The TCP packages are small, 72 or 80 bytes.
Is this expected?