On Sat, 16 Feb 2002, Jeff Gutierrez wrote:
> #if i'm not mistaken, 224.0.0.1 has a max lifespan (time-to-live) of 1 and
> #so doesnt get propagated any further from the network it came from.
> #that means any spoofed packet like that cant come from outside the router
> #(because it wont be routed) and that it originated from within the lan
> #itself.
> #
>
> I'm on an internet-on-cable system (attbi.com). That being said, could
> the culprit be just another subscriber?
>
the other subscribers on the same cable broadcast segment can send a
224.0.0.1 multicast packet but your pc/hardware router will not forward it
to your lan even if its time-to-live value is greater than 1 (assuming
the router implements multicast routing correctly). so only the router can
see that multicast packet, but the internal hosts in your lan will not.
to isolate further, you can turn off any 'ip multicasting'
capabilities/software on your router which connects to your cable
internet. this will prevent all outside multihop multicast packets from
reaching your lan. this also ensures that it's not your router itself
sending that packet. then use tcpdump (on the host where you received the
log msg you posted) to get the source mac address of that packet in
case it persists. if you have a manageable switch/hub, you can lookup the
src mac address from its mac address cache so you can pinpoint which
switch/hub port it received the packet from (even if the src mac addr is
spoofed).
pong
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
