Announcement

Collapse
No announcement yet.

failed to receive protocol zero byte

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • failed to receive protocol zero byte

    On one of our Solaris systems we are getting the following error. The source is the 2008 R2 DC and solaris system is using this DC as DNS only.

    connection from hostname (x.x.x.6) - bad port
    [ID 776819 daemon.error] failed to receive protocol zero byte

    What is causing this error?

  • #2
    Re: failed to receive protocol zero byte

    From what i can see it lookss like someone or something has attempted to scan or logon to your system.

    https://www.google.com.au/search?sou...63...........0.

    Comment


    • #3
      Re: failed to receive protocol zero byte

      It's a 2008 R2 dc in production, I have tried sys internal tcp view tool but I could not trace the application/culprit. What is the best way to trace the application and the port number?

      Comment


      • #4
        Re: failed to receive protocol zero byte

        I believe I've seen such message before on Cisco devices... However I'm not sure anymore, it's a long time
        IIRC it might have to do that Windows 2008 R2 is using DNSSEC by default and your Solaris system doesn't understand that.

        Try using snoop to verify this
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: failed to receive protocol zero byte

          As per snoop following are the details of the connection attempts. I need to trace the application which is causing this traffic. It even makes rshell/ftp/rlogin attempts.



          Windows DC = Source.2008RDC
          Destination = Destination_SolarisHost




          944 0.00000 Destination_SolarisHost -> Source.2008RDC TELNET R port=62868
          945 0.00042 Source.2008RDC -> Destination_SolarisHost TELNET C port=62868
          946 0.00026 Destination_SolarisHost -> Source.2008RDC TCP D=62867 S=22 Fin Ack=3658292982 Seq=2275714174 Len=0 Win=49640
          947 0.00033 Source.2008RDC -> Destination_SolarisHost TCP D=22 S=62867 Ack=2275714175 Seq=3658292982 Len=0 Win=256
          948 0.01734 Destination_SolarisHost -> Source.2008RDC DAYTIME R port=62865 Fri Feb 1 16:21:32
          949 0.00032 Source.2008RDC -> Destination_SolarisHost DAYTIME C port=62865
          950 0.00035 Source.2008RDC -> Destination_SolarisHost SMTP C port=62869
          951 0.00030 Destination_SolarisHost -> Source.2008RDC DAYTIME R port=62865
          952 0.00000 Destination_SolarisHost -> Source.2008RDC SMTP R port=62869
          953 0.00031 Source.2008RDC -> Destination_SolarisHost SMTP C port=62869
          954 0.00443 Source.2008RDC -> Destination_SolarisHost TCP D=111 S=62870 Syn Seq=2145196229 Len=0 Win=8192 Options=<mss 1460,nop,wscale 8,nop,nop,sackOK>
          955 0.00004 Destination_SolarisHost -> Source.2008RDC TCP D=62870 S=111 Syn Ack=2145196230 Seq=2276143769 Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
          956 0.00027 Source.2008RDC -> Destination_SolarisHost TCP D=111 S=62870 Ack=2276143770 Seq=2145196230 Len=0 Win=256
          957 0.00003 Source.2008RDC -> Destination_SolarisHost PORTMAP C DUMP
          958 0.00002 Destination_SolarisHost -> Source.2008RDC TCP D=62870 S=111 Ack=2145196274 Seq=2276143770 Len=0 Win=49596
          959 0.00032 Source.2008RDC -> Destination_SolarisHost RLOGIN C port=62871
          960 0.00003 Destination_SolarisHost -> Source.2008RDC RLOGIN R port=62871
          961 0.00030 Source.2008RDC -> Destination_SolarisHost RLOGIN C port=62871
          962 0.00003 Source.2008RDC -> Destination_SolarisHost RLOGIN C port=62871 \0\0\0xterm/38400\0\377\377ss\0
          963 0.00002 Destination_SolarisHost -> Source.2008RDC RLOGIN R port=62871
          964 0.00043 Destination_SolarisHost -> Source.2008RDC PORTMAP R DUMP 36 map(s) found
          965 0.00019 Destination_SolarisHost -> Source.2008RDC DAYTIME R port=62865
          966 0.00025 Source.2008RDC -> Destination_SolarisHost TCP D=111 S=62870 Fin Ack=2276144522 Seq=2145196274 Len=0 Win=253
          967 0.00004 Destination_SolarisHost -> Source.2008RDC TCP D=62870 S=111 Ack=2145196275 Seq=2276144522 Len=0 Win=49640
          968 0.00009 Destination_SolarisHost -> Source.2008RDC TCP D=62870 S=111 Fin Ack=2145196275 Seq=2276144522 Len=0 Win=49640
          969 0.00021 Source.2008RDC -> Destination_SolarisHost DAYTIME C port=62865
          970 0.00005 Source.2008RDC -> Destination_SolarisHost RSHELL C port=62872
          971 0.00003 Source.2008RDC -> Destination_SolarisHost TCP D=111 S=62870 Ack=2276144523 Seq=2145196275 Len=0 Win=253
          972 0.00002 Destination_SolarisHost -> Source.2008RDC RSHELL R port=62872
          973 0.00027 Source.2008RDC -> Destination_SolarisHost TCP D=4045 S=62873 Syn Seq=3945066901 Len=0 Win=8192 Options=<mss 1460,nop,wscale 8,nop,nop,sackOK>
          974 0.00003 Destination_SolarisHost -> Source.2008RDC TCP D=62873 S=4045 Syn Ack=3945066902 Seq=2276444436 Len=0 Win=32804 Options=<mss 1460,nop,wscale 5,nop,nop,sackOK>
          975 0.00032 Source.2008RDC -> Destination_SolarisHost RSHELL C port=62872
          976 0.00004 Source.2008RDC -> Destination_SolarisHost TCP D=4045 S=62873 Ack=2276444437 Seq=3945066902 Len=0 Win=256
          977 0.00685 Destination_SolarisHost -> Source.2008RDC AUTH C port=55071
          978 0.00018 Source.2008RDC -> Destination_SolarisHost AUTH R port=55071
          979 0.00245 Destination_SolarisHost -> Source.2008RDC SMTP R port=62869 220 Destination_SolarisHost
          980 0.00038 Source.2008RDC -> Destination_SolarisHost SMTP C port=62869 HELO anon.com\r\n
          981 0.00085 Destination_SolarisHost -> Source.2008RDC SMTP R port=62869
          982 0.00028 Destination_SolarisHost -> Source.2008RDC SMTP R port=62869 250 Destination_SolarisHost.
          983 0.00030 Source.2008RDC -> Destination_SolarisHost SMTP C port=62869 QUIT\r\n

          Comment


          • #6
            Re: failed to receive protocol zero byte

            You think it comes from the Windows system but I don't see what the solaris host is sending towards the DC.
            Usually you should capture both interfaces on both systems and compare them with something like wireshark or such. To trace it you need the complete traffic flow.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: failed to receive protocol zero byte

              It's the MacAfee on the server sending junk traffic.

              Comment

              Working...
              X