[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian Source



On Thu, 24 Oct 2002 08:39:17 +0200
Olaf Kirch <okir@xxxxxxx> wrote:

> On Thu, Oct 24, 2002 at 07:48:58AM +0200, Grosswiler Roger wrote:
> > >>>ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
> > >>>                             ^^^^^^^^^^^^^^^^^
> > This does not really seem to be a MAC-Adress..
> 
> What makes you think so? The kernel logs the low-level header, which,
> in this case, is an Ethernet header. An Ethernet header looks like
> this:
> 
> 	6 bytes of destination MAC. A MAC of all ones is the
> 		Ethernet broadcast address.
> 	6 bytes of source MAC. 00:09:7b:8d:08:54 in this case
> 	2 bytes of either packet length for LLC and all thast garbage,
> 		or a packet type. 0x800 is the packet type for IP.
> 
> All you need to do is find the host on your networks that has an
> Ethernet card with said MAC address.
> 
> One possible explanation for this case of Martians may be that you have
> a machine with two network cards connected to the same physical network;
> either by design or accident. Which would explain why the kernel printk
> is only triggered by broadcasts.
> 
> My guess is that this is more of a misconfiguration issue than a security
> related problem.
> 
I get this logs from machines with virtual interfaces (eth0:1). 
The box uses often the eth0:0 address insteed of the address from eth0:1

-- 
andy

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here