[Leaf-user] Repost properly formatted Re: Martians: please, help track this one down ???

Mon, 29 Oct 2001 22:12:56 -0800 

OOPS :< - that didn't look to good - here it is a little easier on the eyes 
hopefully.  Sorry for the repost


Found out some more info for this issue - forgot to mail to the list
previously, but here is pretty much everything you ever wanted to
know about those pesky martian packets:

as you explained

>       martian source 3edb5d3f for 03db5d3f, dev eth1

        3edb5d3f == 63.93.219.62 = source IP
        03db5d3f == 63.93.219.3  = destination IP (may actually be your
subnet broadcast address on the external interface - can't tell without
gateway and subnet info tho)

now for the header

        ll header: ff ff ff ff ff ff 00 30 c1 d8 b6 80 08 06

ff ff ff ff ff ff = destination MAC address - this equates to a
binary of 11111111 11111111 11111111 11111111 11111111 11111111 or simply a 
broadcast to anything on the LAN with a MAC address - probably shouldn't be 
forwarded off the LAN in any case

00 30 c1 d8 b7 80 = Source MAC address

Remaining characters define the ARP Protocol type:

arp packet type    08:06

arp_hrd            00:01               /* Ethernet1*/

arp_prot           08:00               /* IP=0x800 */

arp_hlen           06                  /* hlen = 6 */

arp_plen           04                  /* plen = 4 */

arp_op             00:01               /* arp ARP_REQ*/

arp_sha            00:c0:7b:61:44:fe   /* 123 */

arp_spa            cc:b2:d7:7b         /* 123 */

arp_tha            00:00:00:00:00:00

arp_tpa            cc:b2:d7:13         /* 19 */

All info gathered from

http://www.cpm.ru/service/manuals/pipeline/pipe130/6.0.0/usergde/filter.htm

and

http://lists.suse.com/archive/suse-linux-e/2000-Jul/0282.html

Hope it helps a little

Simon

>
>>From: "Michael D. Schleif" <[EMAIL PROTECTED]>
>>Reply-To: [EMAIL PROTECTED]
>>To: LEAF <[EMAIL PROTECTED]>
>>Subject: [Leaf-user] Martians: please, help track this one down ???
>>Date: Mon, 29 Oct 2001 22:33:15 -0600
>>
>>
>>Yes, I know what martians are.  Yes, I know how they can occur.
>>
>>No, I do not know how to locate and eradicate this one ;<
>>
>>      martian source 3edb5d3f for 03db5d3f, dev eth1
>>      ll header: ff ff ff ff ff ff 00 30 c1 d8 b6 80 08 06
>>
>>      3edb5d3f == 63.93.219.62
>>      03db5d3f == 63.93.219.3
>>
>>However, now that I know that it's there, on a network from which it
>>cannot escape, *HOW* do I track it down?
>>
>>How do we interpret that second line?
>>
>>Am I right in assuming that the MAC address is buried somewhere in line
>>2?
>>
>>Anybody have any suggestions on how to locate this ugly bugger?
>>
>>What do you think?
>>
>>--
>>
>>Best Regards,
>>
>>mds






_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to