How does one interpret the mac addresses in the log which seem to have 14 segments... Example, this appears in the log... 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 Yet I can''t find that in the arp table norcomix:~ # arp -an ? (192.168.2.148) at 00:10:4B:6A:AE:E7 [ether] on eth1 ? (192.168.2.149) at 00:D0:B7:1D:F2:F2 [ether] on eth1 ? (24.237.19.16) at 00:10:DC:67:BA:80 [ether] on eth0 ? (192.168.2.240) at 00:C0:02:55:04:29 [ether] on eth1 ? (192.168.2.241) at 00:C0:02:58:66:93 [ether] on eth1 ? (192.168.2.11) at 00:A0:C9:32:F4:03 [ether] on eth1 ? (192.168.2.233) at 08:00:46:63:9D:BD [ether] on eth1 ? (24.237.16.1) at 00:01:64:4A:70:00 [ether] on eth0 ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
--On Monday, January 27, 2003 11:28 AM -0900 "John S. Andersen" <JAndersen@screenio.com> wrote:> How does one interpret the mac addresses in the log which > seem to have 14 segments... > > Example, this appears in the log... > 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00----------------- = Destination> 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00----------------- = Source> 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00Ethernet Type Field (IP) = ----- Which is nothing more than the layout of an Ethernet Frame Header carrying IP. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On 27 Jan 2003 at 12:40, Tom Eastep wrote:> > How does one interpret the mac addresses in the log > > Example, this appears in the log... > > 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 > ----------------- = Destination > > > 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 > ----------------- = Source > > > 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 > Ethernet Type Field (IP) = ----- > > Which is nothing more than the layout of an Ethernet Frame Header > carrying IP.Well Ratz, that gets me no closer to the source of the mystery... All day long I get a trickle of these packets which get dropped, and logged but I have no idea why I get them. Jan 27 12:02:59 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=206.96.62.16 DST=24.237.21.6 LEN=58 TOS=0x00 PREC=0x00 TTL=250 ID=20810 DF PROTO=UDP SPT=53 DPT=32808 LEN=38 There are usually two at a time within the same second, the groups are 20 seconds appart, on ascending port (all in a given group are on same ports, the next group are on the next higher port. The Source is my ISPs DNS server, the MACs belong to my Shorewall box and the cable system default gateway. In other words, known sources. It looks like a port scan, but I can''t believe my own ISP would be scanning me from his DNS server. (Unless the source IP was forged). ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
> -----Original Message----- > From: John S. Andersen > Sent: Monday, January 27, 2003 4:09 PM > Subject: Re: [Shorewall-users] Mac Addresses in the Log > > > On 27 Jan 2003 at 12:40, Tom Eastep wrote: > > > > How does one interpret the mac addresses in the log > > > Example, this appears in the log... > > > 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 > > ----------------- = Destination > > > > > 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 > > ----------------- = Source > > > > > 00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 > > Ethernet Type Field (IP) = ----- > > > > Which is nothing more than the layout of an Ethernet Frame Header > > carrying IP. > > Well Ratz, that gets me no closer to the source of the mystery... > > All day long I get a trickle of these packets which get dropped, and > logged but I have no idea why I get them. > > Jan 27 12:02:59 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=206.96.62.16 > DST=24.237.21.6 LEN=58 TOS=0x00 PREC=0x00 TTL=250 ID=20810 DF > PROTO=UDP SPT=53 DPT=32808 LEN=38 > > There are usually two at a time within the same second, the groups > are 20 seconds appart, on ascending port (all in a given group are > on same ports, the next group are on the next higher port. > > The Source is my ISPs DNS server, the MACs belong to my Shorewall box > and the cable system default gateway. In other words, known sources. > > It looks like a port scan, but I can''t believe my own ISP would be > scanning me from his DNS server. (Unless the source IP was forged). >Checkout the shorewall FAQ. Item 6c might be of interest. Steve Cowles
On Mon, 2003-01-27 at 14:08, John S. Andersen wrote:> Well Ratz, that gets me no closer to the source of the mystery... > > All day long I get a trickle of these packets which get dropped, and > logged but I have no idea why I get them. > > Jan 27 12:02:59 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=206.96.62.16 > DST=24.237.21.6 LEN=58 TOS=0x00 PREC=0x00 TTL=250 ID=20810 DF > PROTO=UDP SPT=53 DPT=32808 LEN=38 > > There are usually two at a time within the same second, the groups > are 20 seconds appart, on ascending port (all in a given group are > on same ports, the next group are on the next higher port. > > The Source is my ISPs DNS server, the MACs belong to my Shorewall box > and the cable system default gateway. In other words, known sources. > > It looks like a port scan, but I can''t believe my own ISP would be > scanning me from his DNS server. (Unless the source IP was forged).John, Here is my WAG at your problem. BTW, are you running a local DNS (caching & forwarding). http://www.mynetwatchman.com/fpguide.htm If you see UDP events targetting high numbered ports, sourced from the DNS port (udp/53) AND the source IP is your DNS server...then these are probably slow DNS responses. Slow DNS responses is probably the most frequent cause of false positives. -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
On 27 Jan 2003 at 16:24, Cowles, Steve wrote: > > It looks like a port scan, but I can''t believe my own ISP would be> > scanning me from his DNS server. (Unless the source IP wasforged).> > > > Checkout the shorewall FAQ. Item 6c might be of interest. > > Steve CowlesBoth Steve and Mike Noyes pointed to the same problem and when I put the suggested common rule in (as shown in the faq) i have not seen another one of these late DNS packets show up since. Thanks guys... That common def had never made it into my version because I''ve done several upgrades over time and the quickstart that i started with was pretty old. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
--On Monday, January 27, 2003 2:12 PM -0900 "John S. Andersen" <jsa@norcomix.dyndns.org> wrote:> > Thanks guys... > > That common def had never made it into my > version because I''ve done several upgrades over > time and the quickstart that i started with was > pretty old. >I hope you meant ''common'' rather than ''common.def'' -- ''common.def'' gets replaced each upgrade wereas ''common'' does not get replaced. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On 27 Jan 2003 at 15:50, Tom Eastep wrote: > I hope you meant ''common'' rather than ''common.def'' -- ''common.def''> gets replaced each upgrade wereas ''common'' does not get replaced. > > -TomHave no fear... I did it right, Tom, because I remembered the discussion on the list of when you broke those out that way and why... ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/