[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian Source



On Thu, Oct 24, 2002 at 07:48:58AM +0200, Grosswiler Roger wrote:
> >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
> >>>                             ^^^^^^^^^^^^^^^^^
> This does not really seem to be a MAC-Adress..

What makes you think so? The kernel logs the low-level header, which,
in this case, is an Ethernet header. An Ethernet header looks like
this:

	6 bytes of destination MAC. A MAC of all ones is the
		Ethernet broadcast address.
	6 bytes of source MAC. 00:09:7b:8d:08:54 in this case
	2 bytes of either packet length for LLC and all thast garbage,
		or a packet type. 0x800 is the packet type for IP.

All you need to do is find the host on your networks that has an
Ethernet card with said MAC address.

One possible explanation for this case of Martians may be that you have
a machine with two network cards connected to the same physical network;
either by design or accident. Which would explain why the kernel printk
is only triggered by broadcasts.

My guess is that this is more of a misconfiguration issue than a security
related problem.

> I found another link...how about this one?

Which one? :)

Olaf
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okir@xxxxxxx   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here