On Fri, Apr 24, 2009 at 7:53 AM, Aner Perez <[email protected]> wrote: ... > While monitoring the pflog output, I occasionally see output that looks like > this: > > Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 > 73.243.0.0: at-#0 18 > Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 > 73.37.0.0: at-#0 21 ... > What first jumps out at me is the IP addresses which are not part of our > network. The second thing that jumps out is the "at-#0 18" notation. What > does this mean? I'm assuming the number at the end is the packet size. > What is the "at-#0"? Has anybody seen traffic like this? Should I be > worried?
Those are Appletalk (Ethertalk) packets. "107.6.96.0" and such are Appletalk phase II addresses (with DDP protocol) and *not* IP addresses. Seems you have old Macs or Apple hardware on your net still doing the old stuff... Philip Guenther
