Who is injecting data into network packets.

See more:

network

TCP/IP

ISS

packets

I use a packet sniffer that i wrote myself and it's a bit like wireshark but is lightweight and seems to be doing a good job but i have noticed packets arriving from the internet after making TCP request out on port 80 for web-pages. This i can check by checking the packet sniffer IP address that also showns up in Syslogs. Note sure about the length of the time lag.

The strange data i am getting always looks the same with the same ID and this is happening on more than one machine with the same id in the data and the data part of the packet looks a bit like this.

"(Ref.Id: ?sufKKsWW98F4Cs2CEW6MM?)"

it's as if i am getting some type of late reply that makes it way past the NAT in the routers firewall due to timing or something and the other thing i have noticed is that the network windows size seems to always be zero which might have something to do with a buffer overrun.

The router i use is a Sonicwall (not much good without a licence, most nice to have's doing work unles you pay them money) so if thats not injecting these packets then it seems like my ISP must be behind this and are using a back-door hack to push data to my network since the router does not map any inbound packets.

I know for a fact that my ISP hijacks DNS lookup's and somehow manages to serve up HTTPS pages from it's servers using the hijacked lookup's so it's not something i would put past them.