On 05/06/2012 06:38 PM, Frank Griffin wrote:
On 05/06/2012 02:23 PM, imnotpc wrote:
Some of my mga2 boxes are recording lines like this:
May 5 08:42:38 Cedar1 kernel: [2420746.469695] ll header:
00:11:09:01:8f:2b:00:18:4d:9d:dc:39:08:00
May 5 08:42:38 Cedar1 kernel: [2420746.470060] martian source
173.194.74.154 from 192.168.3.2, on dev eth0
I don't know about 'martian', but those IPs are indeed unfamiliar and
not anything I'm aware of. Any idea what is causing this and if it is
something to be concerned about?
Martians are IP packets which have a source or destination IP address
that is in one of the "internal" ranges that are defined only for
private network use, such as 10.x.x.x or 192.168.x.x.
The message is less than clear, since both IPs are identified as
"source" or "from", which leaves you guessing as to which was the
source and which was the target, but the 192,168.3.2 address is the
culprit.
Either you're sending the packet, in which case you have a problem
that needs to be addressed, or someone else is in which case you can
ignore the message.
My thanks to you, Maarten, and Doug for replying. I knew that packets in
private subnets are never forwarded by routers, one of the basic
security features of the IPV4 system. I had never heard them referred to
as martian before, but the name makes sense. Based on the destination of
the packets (Google, Facebook), my assumption is that these are not
malicious, and based on my knowledge of my network, I believe these are
originating from the wireless hosts as Doug indicated. I guess the only
part I still don't understand is how these packets are reaching the
kernel of the gateway through NAT and firewalls? Perhaps there is
something I don't understand about how IP traffic moves between hosts.
Jeff
