This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I just came across this very strange unknown TCP option:

Options: (28 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, End of Option List (EOL)

    Maximum segment size: 1460 bytes
    No-Operation (NOP)
    No-Operation (NOP)
    TCP SACK Permitted Option: True
    Unknown (0x26) (18 bytes)
    End of Option List (EOL)

It is 18 bytes long and contains the MAC address and IP address of the PC:

26|12|18|a9|05|cf|58|1a|cd|01|0a|63|c0|91|22|00|00|00

Anyone any idea ? SHould i be thinking virus ?

asked 13 May '13, 06:00

geert's gravatar image

geert
16113
accept rate: 0%

edited 13 May '13, 06:01


I have found it myself. It seems to be an option inserted by JunOS Pulse VPN software when you enable JunOS WAN optimisation. problem is that it changes all packets even when the software is not active and it is incompatible with Riverbed optimisation because it takes to much space in the TCP option headers :-)

permanent link

answered 13 May '13, 14:07

geert's gravatar image

geert
16113
accept rate: 0%

As I said, a WAN acceleration solution ;-)

(13 May '13, 14:37) Kurt Knochner ♦

That's probably a load balancer (or a WAN accelerator) that uses this feature to add information about the original client connection (IP and MAC) to the load balanced backend server (or the next lb).

See a similar question: http://ask.wireshark.org/questions/20697/tcp-option-171-added-in-syn-packet

What is the MAC address of the packet. Maybe the vendor code of the MAC address reveals a possible load balancing (or WAN acceleration) product.

Regards
Kurt

permanent link

answered 13 May '13, 06:07

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 13 May '13, 06:09

According to http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml this option is a compression setting. Looks like the client has some kind of unusual/experimental stack setup and tries to negotiate/establish additional TCP parameters.

I don't think this is a virus.

permanent link

answered 13 May '13, 06:07

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×4

question asked: 13 May '13, 06:00

question was seen: 8,374 times

last updated: 13 May '13, 14:37

p​o​w​e​r​e​d by O​S​Q​A