Hello, I just came across this very strange unknown TCP option: Options: (28 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, End of Option List (EOL)
It is 18 bytes long and contains the MAC address and IP address of the PC: 26|12|18|a9|05|cf|58|1a|cd|01|0a|63|c0|91|22|00|00|00 Anyone any idea ? SHould i be thinking virus ? |
I have found it myself. It seems to be an option inserted by JunOS Pulse VPN software when you enable JunOS WAN optimisation. problem is that it changes all packets even when the software is not active and it is incompatible with Riverbed optimisation because it takes to much space in the TCP option headers :-) As I said, a WAN acceleration solution ;-)
(13 May '13, 14:37)
Kurt Knochner ♦
|
That's probably a load balancer (or a WAN accelerator) that uses this feature to add information about the original client connection (IP and MAC) to the load balanced backend server (or the next lb). See a similar question: http://ask.wireshark.org/questions/20697/tcp-option-171-added-in-syn-packet What is the MAC address of the packet. Maybe the vendor code of the MAC address reveals a possible load balancing (or WAN acceleration) product. Regards |
According to http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml this option is a compression setting. Looks like the client has some kind of unusual/experimental stack setup and tries to negotiate/establish additional TCP parameters. I don't think this is a virus. |