Weird Log Messages

Hi All,

I was trying to find out why I have hundreds of messages like the
following in my syslog:

Jul 21 06:55:22 nitelife kernel: martian source 192.168.0.110 from
24.208.81.72, on dev eth1
Jul 21 06:55:22 nitelife kernel: ll header:
00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00
Jul 21 06:55:25 nitelife kernel: martian source 192.168.0.110 from
24.208.81.72, on dev eth1
Jul 21 06:55:25 nitelife kernel: ll header:
00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00
Jul 21 06:55:31 nitelife kernel: martian source 192.168.0.110 from
24.208.81.72, on dev eth1
Jul 21 06:55:31 nitelife kernel: ll header:
00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00
Jul 21 06:55:33 nitelife kernel: martian source 192.168.1.110 from
192.168.1.100, on dev eth1
Jul 21 06:55:33 nitelife kernel: ll header:
ff:ff:ff:ff:ff:ff:00:26:54:0a:bc:2f:08:06
Jul 21 06:55:33 nitelife kernel: martian source 192.168.0.255 from
192.168.0.110, on dev eth0
Jul 21 06:55:33 nitelife kernel: ll header:
ff:ff:ff:ff:ff:ff:00:50:04:6e:54:1a:08:00
Jul 21 06:55:41 nitelife kernel: NET: 1 messages suppressed.
Jul 21 06:55:41 nitelife kernel: martian source 192.168.0.110 from
207.238.164.226, on dev eth1
Jul 21 06:55:41 nitelife kernel: ll header:
00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00
Jul 21 06:55:44 nitelife kernel: martian source 192.168.0.110 from
192.168.0.1, on dev eth0
Jul 21 06:55:44 nitelife kernel: ll header:
ff:ff:ff:ff:ff:ff:00:0c:41:6d:c6:d2:08:06


What the heck is a "martian source"????

Thanks,

Arthur

Arthur <amerar@iwc.net> wrote:
> What the heck is a "martian source"????

A "martian" is a packet that has a source or destination IP that doesn't
belong to the network from which he came from. Example: if a packet
arrive from your Internet interface with an IP in the same network of
your LAN, it's a martian.

There are many reasons, most common is a badly spoofed packet or a
misconfigured router.

Davide

--
| Speak softly and carry a +6 two-handed sword.
|
|
|

Davide Bianchi <davideyeahsure@onlyforfun.net> wrote in message news:<2m778rFj8fuhU1@uni-berlin.de>...
> Arthur <amerar@iwc.net> wrote:
> > What the heck is a "martian source"????
>
> A "martian" is a packet that has a source or destination IP that doesn't
> belong to the network from which he came from. Example: if a packet
> arrive from your Internet interface with an IP in the same network of
> your LAN, it's a martian.
>
> There are many reasons, most common is a badly spoofed packet or a
> misconfigured router.
>
> Davide

What is the best way of starting to figure out where the problem is,
so it can be fixed? I have no idea where to look.......

Arthur

Use tcpdump or a graphical ethernet sniffer like ethereal to capture
network packets and to debug network problems.

-Gilles-

On Wed, 21 Jul 2004 13:16:14 -0700, Arthur wrote:

> Davide Bianchi <davideyeahsure@onlyforfun.net> wrote in message news:<2m778rFj8fuhU1@uni-berlin.de>...
>> Arthur <amerar@iwc.net> wrote:
>> > What the heck is a "martian source"????
>>
>> A "martian" is a packet that has a source or destination IP that doesn't
>> belong to the network from which he came from. Example: if a packet
>> arrive from your Internet interface with an IP in the same network of
>> your LAN, it's a martian.
>>
>> There are many reasons, most common is a badly spoofed packet or a
>> misconfigured router.
>>
>> Davide
>
> What is the best way of starting to figure out where the problem is,
> so it can be fixed? I have no idea where to look.......
>
> Arthur
"

In article <8b622eae.0407211216.6ad1fe0d@posting.google.com >, Arthur wrote:
>What is the best way of starting to figure out where the problem is,
>so it can be fixed? I have no idea where to look.......

Your original posting on 21 Jul 2004 04:35:59 -0700 showed:

>Jul 21 06:55:22 nitelife kernel: martian source 192.168.0.110 from
>24.208.81.72, on dev eth1

Well, it's on eth1. 24.208.81.72 resolves to CPE-24-208-81-72.neb.rr.com,
but that doesn't tell me anything. It would have helped to know that is
the network and mask on eth1.

>Jul 21 06:55:22 nitelife kernel: ll header:
>00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00

OK, the header has three pieces of information:

00:50:04:6e:54:1a Destination hardware address
00:0c:41:6d:c6:d2 Source ON THE LOCAL WIRE hardware address
08:00 Type = IP Datagram

[compton ~]$ etherwhois 00:50:04
00-50-04 (hex) 3COM CORPORATION
005004 (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
SANTA CLARA CA 95052
UNITED STATES
[compton ~]$ etherwhois 00:0c:41
00-0C-41 (hex) The Linksys Group, Inc.
000C41 (base 16) The Linksys Group, Inc.
17401 Armstrong Ave.
Irvine CA 92614
UNITED STATES
[compton ~]$

The Linksys is probably a router of some kind. The 3Com - they've
got a slew of products, but that prefix is often used with the 3C90X
cards. Do you have one?

>Jul 21 06:55:33 nitelife kernel: martian source 192.168.1.110 from
>192.168.1.100, on dev eth1
>Jul 21 06:55:33 nitelife kernel: ll header:
>ff:ff:ff:ff:ff:ff:00:26:54:0a:bc:2f:08:06

00:26:54 is another 3Com code. ff:ff:ff:ff:ff:ff is a broadcast, and
type 0806 is an ARP request/reply.

>Jul 21 06:55:33 nitelife kernel: martian source 192.168.0.255 from
>192.168.0.110, on dev eth0
>Jul 21 06:55:33 nitelife kernel: ll header:
>ff:ff:ff:ff:ff:ff:00:50:04:6e:54:1a:08:00

Another broadcast - from the first 3C90X.

>Jul 21 06:55:41 nitelife kernel: martian source 192.168.0.110 from
>207.238.164.226, on dev eth1
>Jul 21 06:55:41 nitelife kernel: ll header:
>00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00

Same as the first. The different source IP address suggests the Linksys
is a router with access to the world.

>Jul 21 06:55:44 nitelife kernel: martian source 192.168.0.110 from
>192.168.0.1, on dev eth0
>Jul 21 06:55:44 nitelife kernel: ll header:
>ff:ff:ff:ff:ff:ff:00:0c:41:6d:c6:d2:08:06

Another ARP request

So, what you've shown indicates there are several hosts one the eth1
interface talking on a 192.168.0.0/24 network. I can see three hosts,
though there may be more. One is _probably_ a Linksys router, and it
has a MAC address of 00:0c:41:6d:c6:d2. There are two systems with 3Com
cards - one is _probably_ a 3C90X with a MAC address of 00:50:04:6e:54:1a
and the other is something else with a MAC address of 00:26:54:0a:bc:2f.

How would I get more details? Probably run tcpdump with a fair sized
snaplen (packet capture size), looking for those MAC addresses (but NOT
the IP addresses) outputting to a file. Then look through that, and see
what turns up. With any luck, the 1d10t who owns those boxes will check
his mail - sending username and password in the clear as usual.

But, ah... you'all be careful, ya hear? Sniffing the wire like that
_could_ be illegal, or fattening, or something bad for your health.
They _could_ throw your a*s so far into the slammer that they'd have to
use an echo sounder to find you. You have been warned ;-)

Hope this helps,

Old guy