Hi Moe,

i will concatenate the last two posts from you...

>>>Moe Trin wrote:
> Find some command lines - in one, run 'tcpdump -ni eth0' to watch the
> traffic on your eth0 interface. In another, run the command '/sbin/arp -a'
> and (assuming you have been using the network recently), there should be
> a line looking something like
>
> - <some.ip.address> at 00:09:7b:8d:98:70 on eth0

yes,
80-219-224-1.dclient.hispeed.ch (80.219.224.1) at 00:09:7B:8D:98:70
[ether] on eth0

> That IP address is your modem. Now, telnet to that address as above,
> and look at where you are running the tcpdump - you should see some
> activity - look for a 'ttl' in the line where your router tells you to
> go away and not bother it.

A ping will show this:
64 bytes from 80.219.224.1: icmp_seq=1 ttl=255 time=7.01 ms

>>>The first hop while tracerouting any ip will always show up as (* * *):
>
>
> You'd have to look at the tcpdump while doing this. Some of these POS
> are configured to not sent ICMP errors, and that is what traceroute
> depends on. Note - I'm assuming a UNIX style traceroute which uses UDP
> to ports > 33434, and not the b0rken microsoft imitation which uses ICMP
> type 8 (ping).
>
>
>>>A ping to the cablecom gateway will show:
>>>
>>>PING tengig-11-0.blxZHZ002.gw.cablecom.net (62.2.33.1) 56(84) bytes of data.
>>>64 bytes from tengig-11-0.blxZHZ002.gw.cablecom.net (62.2.33.1):
>>>icmp_seq=1 ttl=252 time=8.48 ms
>
>
> Again - ttl=252. The gateway is probably three hops away, starting value
> was 255.

It is as you say.

>>>The MAC of the modem (shown on a label in the back of it) is far
>>>different than the one shown in the martian packets.
>
>
> The martian was showing 00:09:7b:8d:98:70 which is a Cisco - what does the
> label say? Cisco has (as of early October) 271 different blocks of MAC
> addresses from 00:00:0c to 00:e0:fe

The MAC starts with 00:0E:9B. Actually i think it is configured as a
bridge, but not sure about it.

------------

Moe Trin wrote:
> I don't think so, unless the Modem is behaving as a transparent bridge.
> That's not impossible, but it's also not likely.
>
>
> Here's how to tell if your modem is a bridge or not. While you are
> looking at the traffic, do you see any OTHER MAC addresses - or is all
> of the traffic using that same 00:09:7b:8d:98:70. Obviously, we don't
> count your own MAC address in this mess - but what about all others?
>

There is one more MAC shown where all the broadcasts come from, seems to
be another router.

> You got to talk to someone who can spell "IP" ??? Wow - that doesn't
> happen to often. ;-)

:-)

>>I still do not know what (in detail) causes the martian packets, but i
>>know where they come from and actually it is not my business anymore ;-).
>
>
> You could set your own firewall to ignore packets with a source of
> 127.0.0.0/8 on the eth0 interface. RFC2827 (and RFC3704) recommend such
> filtering.

I did already.

>
> 2827 Network Ingress Filtering: Defeating Denial of Service Attacks
> which employ IP Source Address Spoofing. P. Ferguson, D. Senie.
> May 2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated
> by RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)
>
> 3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
> March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
> BCP0084) (Status: BEST CURRENT PRACTICE)

I surely will have a look at them.

>
> Normally, your ISP should be doing this - looks as if they are falling
> down on the concept.

Thanks a lot Moe for your advices. I have learned a lot. Too bad i
couldn't find out what the etherwhois is all about and where to get it,
but i assume it's one of yours, isn't it?

greetz,
Eric