Thread: mystery martian source from 127.0.0.1
View Single Post

  #24 (permalink)  
Old 12-15-2005
EricT
 
Posts: n/a
Default Re: Reply to all posters: mystery martian source from 127.0.0.1
Moe Trin wrote:
>>80-219-224-1.dclient.hispeed.ch (80.219.224.1) at 00:09:7B:8D:98:70
>>[ether] on eth0
>
>
> That's the IP of the system you received the packet from, BUT:
>
>
>>A ping will show this:
>>64 bytes from 80.219.224.1: icmp_seq=1 ttl=255 time=7.01 ms
>
>
> Again - this corresponds to the host being directly connected. But notice
> the different ttl - here, it's 255, and the martian packet had a ttl of
> 126 (implying a start at 128, and two hops away).
>
> ]20:42:25.782992 IP (tos 0x0, ttl 126, id 10724, offset 0, flags [none],
> ]length: 40) localhost.http > 80-219-238-182.dclient.hispeed.ch.stun-p3:
> ]R [tcp sum ok] 0:0(0) ack 1704591361 win 0
>
> So, the best guess would be that the owner of 80.219.224.1 has a system
> behind it that is misconfigured.
>

That's what i thought after the last posts.

>
>>The MAC starts with 00:0E:9B.
>
>
> [compton ~]$ etherwhois 00:0E:9B
> 00-0E-9B (hex) PRIVATE
> 000E9B (base 16)
> [compton ~]$
>
> Hmmm... Nope - just grabbed the latest OUI file - it's still listed as a
> private address. Look in the ARP caches on your system (/sbin/arp -a),
> and see if the address shows up as above.

No, so, it should be pretty clear, i have a bridge here connected to
the system.

>>There is one more MAC shown where all the broadcasts come from, seems to
>>be another router.
>
>
> That infers a bridge. The fact that you saw it from a box on the net that
> is one hop away, BUT the packet had a ttl indicating it had passed at least
> one (most likely two) routers enroute to you
>
>
> It's a dumb script that queries the OUI Database. It even has the pointer
> to the source of the database:
>
> [compton ~]$ cat /usr/local/bin/etherwhois
> ETHER=`echo $1 | tr -d '\-:'`
> zgrep -qi $ETHER /usr/doc/misc/MACaddresses.gz
> if [ $? != "0" ] ; then
> echo 'Non-existent address as of Nov 30 22:14:25 UTC 2005 OUI file'
> echo ' http://standards.ieee.org/regauth/oui/oui.txt'
> else
> zgrep -i -B1 -A6 $ETHER /usr/doc/misc/MACaddresses.gz | sed '/^$/,/*/d'
> fi
> zgrep -i $ETHER /usr/doc/misc/macaddresses.txt.gz
> [compton ~]$
>
> The oui.txt file is huge - about 2.5 Megabytes, with nearly 9000 entries.
> It's also a wide file - downloading it via lynx means resetting the nxterm
> to a width in excess of 150 characters to avoid line wraps. The other one
> files this script is looking for are a copy of an old file from Michael A.
> Patton (don't know if it still exists - was http://map-ne.com/Ethernet/).

It is still available.

> The IEEE data would be "official", while the other data has some hints of
> the specific type of card - i.e. this is probably a 3C590 as opposed to a
> 3C900.

Works fine, Thanks for the code and the references.

greetz,
Eric
Reply With Quote