# Strange traffic showing up in tcpdump



## sfara (Oct 2, 2013)

Ok, so I have this FreeBSD 8 server that has two NICs. I'm using NAT so one talks to the internet and the other to my internal network. 
`ifconfig` shows this:

```
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        ether 00:50:04:31:9a:51
        inet 78.77.77.188 netmask 0xffffff80 broadcast 78.77.77.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:04:61:74:44:ac
        inet 172.27.0.1 netmask 0xffffff00 broadcast 172.27.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```
When I `tcpdump` my external NIC (xl0), besides the usual traffic I get this weird broadcast traffic involving two MAC addresses that I can't identify and can't understand what this traffic actually is:

```
11:58:15.727791 00:09:0f:ff:9f:c8 (oui Unknown) > Broadcast, ethertype Unknown (0x8890), length 96:
        0x0000:  2900 0052 b246 4732 3030 4233 3931 3136  )..R.FG200B39116
        0x0010:  3130 3239 3900 16c2 0000 04b4 3b1d aa40  10299.......;..@
        0x0020:  ee28 dd7f c800 0000 1fba 8799 71bb 0c69  .(..........q..i
        0x0030:  3c37 6a16 6cd8 79cd 706f 7274 3133 0000  <7j.l.y.port13..
        0x0040:  0000 0000 0000 0000 0100 0000 0800 0000  ................
        0x0050:  0000                                     ..
11:58:15.781243 IP blabla.astral.ro.3199 > streamer2-2.distinctgroup.net.1935: Flags [.], ack 1981, win 17008, length 0
11:58:15.888705 00:09:0f:fa:56:e9 (oui Unknown) > Broadcast, ethertype Unknown (0x8890), length 96:
        0x0000:  2900 0052 b246 4732 3030 4233 3931 3136  )..R.FG200B39116
        0x0010:  3037 3532 3101 d815 0000 0545 3b1d aa40  07521......E;..@
        0x0020:  ee28 dd7f c800 0000 204c d240 9a8c 22e2  .(.......L.@..".
        0x0030:  1865 e869 18f8 2bc3 706f 7274 3133 0000  .e.i..+.port13..
        0x0040:  0000 0000 0000 0000 0100 0000 0800 0100  ................
        0x0050:  0000
```
Anyone got any idea what this is? I haven't tried yet to change the NIC with a new one, maybe something wrong with the actual network card.


----------



## SirDice (Oct 2, 2013)

That looks like FortiGate traffic. Specifically FortiGate 200.

http://docs.fortinet.com/fgt/archiv...20040830_FortiGate-200_Installation_Guide.pdf


----------



## sfara (Oct 2, 2013)

Could it be that an ISP external equipment is causing this?


----------



## SirDice (Oct 2, 2013)

That's possible. Have you asked them if they have any FortiGate equipment? It's also possible the traffic is generated by another customer.


----------

