Well, /usr/src/linux/net/ipv4/route.c implements the rules, but won't help tell you what is generating the martians. For that, don't you need a packet sniffer like tcpdump?
-Richard On Thursday 02 May 2002 05:16 am, Sergio Morilla wrote: > Thanks, but no. > > I have identified the offending computer. > What I am looking for is for more information about martians (rules that > determine that there is a martian so I can track down why this packets are > seen as martians) and some way to find out the offending program. My users > are using M$ OSs. Until a couple of weeks ago everything was OK, so I asume > a "self administrator" using some "nice feature program". > > Also I would like to know if I eventually can filter out this packets. > Silent deny is for tcp/udp packets and this are arp!!! > > Thanks > > > -----Mensaje original----- > > De: Kelly D. Wason [mailto:[EMAIL PROTECTED]] > > Enviado el: Wednesday, May 01, 2002 09:20 > > Para: Sergio Morilla > > Asunto: RE: [leaf-user] Martians - Why??? narp??? Backdoor?? > > > > > > I ran into this problem one time when I inadvertently > > connected eth0 back to > > my hub on the private network (I think that is what I did-- > > anyway it was a > > cabling problem) > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Sergio > > Morilla > > Sent: Tuesday, April 30, 2002 6:47 AM > > To: Leaf-user@lists. sourceforge. net (E-mail) > > Subject: [leaf-user] Martians - Why??? narp??? Backdoor?? > > > > > > Hi, > > > > I have a very long rate of this martians in my logs. > > > > Apr 30 08:08:06 tptrtr kernel: martian source 00000000 for > > ff01a8c0, dev > > eth1 > > Apr 30 08:08:06 tptrtr kernel: ll header: ff ff ff ff ff ff > > 00 50 04 a4 f2 > > 09 08 00 > > > > Translated > > > > 00000000 ff01a8c0 0.0.0.0 for > > 192.168.1.255 > > ff ff ff ff ff ff 00 50 04 a4 f2 09 08 00(TCP) > > > > Why is this a martian??? > > I guess it�s for the source address. Is this right?? If not, why?? > > > > I've tracked down the offending machine. How do I get the program > > generating them??? Using Etherape I managed to track this packets as > > "narp" (NBMA Address Resolution Protocol RFC1735)packets. > > > > NBMA stands for Non-Broadcast, Multi-Access !!! > > > > Any hints on what this may be?? Any backdoor??? > > Hao can I just ignore this packets so the not fill my logs??? > > > > -------------------------------------------------------------- > > ---------- > > leaf-user mailing list: [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > _______________________________________________________________ > > Have big pipes? SourceForge.net is looking for download mirrors. We supply > the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] > > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
