On Mon, 12 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
<dnks7p$43f$1@news.hispeed.ch>, EricT wrote:
>Moe Trin wrote:
>> In another, run the command '/sbin/arp -a' and (assuming you have
>> been using the network recently), there should be a line looking
>> something like
>>
>> - <some.ip.address> at 00:09:7b:8d:98:70 on eth0
>
>yes,
>80-219-224-1.dclient.hispeed.ch (80.219.224.1) at 00:09:7B:8D:98:70
>[ether] on eth0
That's the IP of the system you received the packet from, BUT:
>A ping will show this:
>64 bytes from 80.219.224.1: icmp_seq=1 ttl=255 time=7.01 ms
Again - this corresponds to the host being directly connected. But notice
the different ttl - here, it's 255, and the martian packet had a ttl of
126 (implying a start at 128, and two hops away).
]20:42:25.782992 IP (tos 0x0, ttl 126, id 10724, offset 0, flags [none],
]length: 40) localhost.http > 80-219-238-182.dclient.hispeed.ch.stun-p3:
]R [tcp sum ok] 0:0(0) ack 1704591361 win 0
So, the best guess would be that the owner of 80.219.224.1 has a system
behind it that is misconfigured.
>> The martian was showing 00:09:7b:8d:98:70 which is a Cisco - what does
>> the label say? Cisco has (as of early October) 271 different blocks of
>> MAC addresses from 00:00:0c to 00:e0:fe
>
>The MAC starts with 00:0E:9B.
[compton ~]$ etherwhois 00:0E:9B
00-0E-9B (hex) PRIVATE
000E9B (base 16)
[compton ~]$
Hmmm... Nope - just grabbed the latest OUI file - it's still listed as a
private address. Look in the ARP caches on your system (/sbin/arp -a),
and see if the address shows up as above.
>There is one more MAC shown where all the broadcasts come from, seems to
>be another router.
That infers a bridge. The fact that you saw it from a box on the net that
is one hop away, BUT the packet had a ttl indicating it had passed at least
one (most likely two) routers enroute to you
>Thanks a lot Moe for your advices. I have learned a lot. Too bad i
>couldn't find out what the etherwhois is all about and where to get it,
>but i assume it's one of yours, isn't it?
It's a dumb script that queries the OUI Database. It even has the pointer
to the source of the database:
[compton ~]$ cat /usr/local/bin/etherwhois
ETHER=`echo $1 | tr -d '\-:'`
zgrep -qi $ETHER /usr/doc/misc/MACaddresses.gz
if [ $? != "0" ] ; then
echo 'Non-existent address as of Nov 30 22:14:25 UTC 2005 OUI file'
echo '
http://standards.ieee.org/regauth/oui/oui.txt'
else
zgrep -i -B1 -A6 $ETHER /usr/doc/misc/MACaddresses.gz | sed '/^$/,/*/d'
fi
zgrep -i $ETHER /usr/doc/misc/macaddresses.txt.gz
[compton ~]$
The oui.txt file is huge - about 2.5 Megabytes, with nearly 9000 entries.
It's also a wide file - downloading it via lynx means resetting the nxterm
to a width in excess of 150 characters to avoid line wraps. The other one
files this script is looking for are a copy of an old file from Michael A.
Patton (don't know if it still exists - was
http://map-ne.com/Ethernet/).
The IEEE data would be "official", while the other data has some hints of
the specific type of card - i.e. this is probably a 3C590 as opposed to a
3C900.
Old guy