Hello, I just came across this very strange unknown TCP option: Options: (28 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, End of Option List (EOL) It is 18 bytes long and contains the MAC address and IP address of the PC: 26|12|18|a9|05|cf|58|1a|cd|01|0a|63|c0|91|22|00|00|00 Anyone any idea ? SHould i be thinking virus ? asked 13 May '13, 06:00  geert edited 13 May '13, 06:01 |
3 Answers:
I have found it myself. It seems to be an option inserted by JunOS Pulse VPN software when you enable JunOS WAN optimisation. problem is that it changes all packets even when the software is not active and it is incompatible with Riverbed optimisation because it takes to much space in the TCP option headers :-) answered 13 May '13, 14:07 geert |
That's probably a load balancer (or a WAN accelerator) that uses this feature to add information about the original client connection (IP and MAC) to the load balanced backend server (or the next lb). See a similar question: http://ask.wireshark.org/questions/20697/tcp-option-171-added-in-syn-packet What is the MAC address of the packet. Maybe the vendor code of the MAC address reveals a possible load balancing (or WAN acceleration) product. Regards answered 13 May '13, 06:07  Kurt Knochner ♦ edited 13 May '13, 06:09 |
According to http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml this option is a compression setting. Looks like the client has some kind of unusual/experimental stack setup and tries to negotiate/establish additional TCP parameters. I don't think this is a virus. answered 13 May '13, 06:07  Jasper ♦♦ |
As I said, a WAN acceleration solution ;-)