I see a malformed packet in Wireshark from a Google IP address on port 2400 using R-GOOSE protocol, what could this be?

asked 2023-05-06 00:49:52 +0000

updated 2023-05-06 22:07:36 +0000

    Some details below:

    Source Address: 34.76.137.175
    ISO 8602/X.234 CLTP ConnectionLess Transport Protocol
    [Protocols in frame: eth:ethertype:ip:udp:goose:cotp:goose]
    User Datagram Protocol, Src Port: 2400

answered 2023-05-06 13:59:28 +0000

Chuckc
2873 ●6 ●571 ●20

This might be a greedy heuristic grabbing a frame that doesn't belong to it.
The disssector looks at a single byte to decide if the protocol is for it.

packet-goose.c:

#define OSI_SPDU_GOOSE    0xA1 /* GOOSE */
...
    /* Is it R-GOOSE? */
    spdu = tvb_get_guint8(tvb, 0);
    if (spdu != OSI_SPDU_GOOSE) {
        return FALSE;
    }

It would help if you could provide a sample capture that contains the full packet and a few before it for context.

edit flag offensive delete link

Comments

Here are 2 screenshots https://imgur.com/a/jUltnsz

0internetuser1 ( 2023-05-06 22:19:23 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

I see a malformed packet in Wireshark from a Google IP address on port 2400 using R-GOOSE protocol, what could this be?

1 Answer

Comments

Your Answer

Question Tools

Stats

I see a malformed packet in Wireshark from a Google IP address on port 2400 using R-GOOSE protocol, what could this be? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

I see a malformed packet in Wireshark from a Google IP address on port 2400 using R-GOOSE protocol, what could this be?