Christer Solskogen wrote:
[EMAIL PROTECTED] ~]# tcpdump -vvv -n -l -e arptcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes 08:58:46.337968 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:58:46.337974 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15
...snip...
There is this line saying: 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff and nothing has ff:ff:ff:ff:ff:ff as a mac address :)
ff:ff:ff:ff:ff:ff is the broadcast address. That looks like a rather mundane arp request broadcast followed by a reply from the machine with the address in question.
The trick will be to see if you see anything with tcpdump at the time one of the syslog messages about 0.0.0.0 gets logged.
BTW, just for the record, personally I doubt this is anything serious to worry about, but as I have no real evidence for that feeling.... You may, however, find http://en.wikipedia.org/wiki/0.0.0.0 at least mildly interesting.
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
