packets with source ip 0.0.0.0

hello,
I am working on linux and i observe that i am getting some
0.0.0.0 packets? I want to know who is sending those packets? Are they
sent by services running on my Linux box?
Which protocols require to send those packets? Does there any
connection with raw sockets?

(E-Mail Removed) wrote:

> hello,
> I am working on linux and i observe that i am getting some
> 0.0.0.0 packets? I want to know who is sending those packets? Are they
> sent by services running on my Linux box?
> Which protocols require to send those packets? Does there any
> connection with raw sockets?

Hi,

There is no reason why a process should ever send packet with src IP set to
0.0.0.0

The only thing I can think of, is a broken application. Or some sort of
security tools using a spoofed IP.

You should tcpdump your interfaces to see where these packets are coming
from, and track them hop by hop, up to the real source.

Good luck.

--
Vincent Jaussaud, Kelkoo.com IT Architect
---
Out of the crooked timber of humanity no straight thing can ever be made.
-- Immanuel Kant

(E-Mail Removed) wrote:
> hello,
> I am working on linux and i observe that i am getting some
> 0.0.0.0 packets? I want to know who is sending those packets? Are they
> sent by services running on my Linux box?
> Which protocols require to send those packets? Does there any
> connection with raw sockets?
>

It's perfectly legal to send the initial BOOTP or DHCP packets
with source IP of 0.0.0.0, the sender does not know else.

Are the packets UDP datagrams between ports 67 and 68?

--

Tauno Voipio
tauno voipio (at) iki fi

As Tauno said, if some host within your network communicates using
ethernet frames without no network layer protocol (TCP/IP, IPX/SPX,
AppleTalk) it might show like 0.0.0.0, also linux show directly
connected routes as 0.0.0.0 check when and which program receives this
kind of addresses, use tcpdump or ethereal to check what is that... and
try to get MAC addreses to track origin.

if you get the mac use arping to know ip address.. or arp...

a crazy theory someone is using iptables postrouting rules to change
packet origin from real ip to 0.0.0.0, some broken nic maybe...

In article <42777b19$0$295$(E-Mail Removed)>, Vincent Jaussaud
wrote:

>(E-Mail Removed) wrote:

>> I am working on linux and i observe that i am getting some
>> 0.0.0.0 packets? I want to know who is sending those packets? Are they
>> sent by services running on my Linux box?

>There is no reason why a process should ever send packet with src IP set to
>0.0.0.0

0.0.0.0 usually means "I don't know my address" - as in

2131 Dynamic Host Configuration Protocol. R. Droms. March 1997.
(Format: TXT=113738 bytes) (Obsoletes RFC1541) (Updated by RFC3396)
(Status: DRAFT STANDARD)

3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
TXT=16200 bytes) (Status: INFORMATIONAL)

>Or some sort of security tools using a spoofed IP.

Hmmm, I've never tried that with nmap, but it's not possible to establish
a TCP connection if there is a router involved, as most routers will
silently discard packets to that address, unless they are a DHCP forwarder.

>You should tcpdump your interfaces to see where these packets are coming
>from, and track them hop by hop, up to the real source.

Really wouldn't expect them to be going beyond the router, but tcpdump
(or similar) is the key.

Old guy

Moe Trin wrote:
> In article <42777b19$0$295$(E-Mail Removed)>, Vincent
Jaussaud
> wrote:
>
> >(E-Mail Removed) wrote:
>
> >> I am working on linux and i observe that i am getting some
> >> 0.0.0.0 packets? I want to know who is sending those packets? Are
they
> >> sent by services running on my Linux box?
>
> >There is no reason why a process should ever send packet with src IP
set to
> >0.0.0.0
>
> 0.0.0.0 usually means "I don't know my address" - as in
>
> 2131 Dynamic Host Configuration Protocol. R. Droms. March 1997.
> (Format: TXT=113738 bytes) (Obsoletes RFC1541) (Updated by
RFC3396)
> (Status: DRAFT STANDARD)
>
> 3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
> TXT=16200 bytes) (Status: INFORMATIONAL)
>
> >Or some sort of security tools using a spoofed IP.
>
> Hmmm, I've never tried that with nmap, but it's not possible to
establish
> a TCP connection if there is a router involved, as most routers will
> silently discard packets to that address, unless they are a DHCP
forwarder.
>
> >You should tcpdump your interfaces to see where these packets are
coming
> >from, and track them hop by hop, up to the real source.
>
> Really wouldn't expect them to be going beyond the router, but
tcpdump
> (or similar) is the key.
>
> Old guy

Is it possible to have source ip 0.0.0.0 packets travel across my linux
pc when i remove network cable from NIC and use ifdown eth0 and uses
ping localhost?
Because what i found after sending and receiving 2 ping/pong
packets on 127.0.0.1 Network Stack is also getting those source ip
0.0.0.0 packets? How it is possible?

"Mr. Boy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com

> a crazy theory someone is using iptables postrouting rules to change
> packet origin from real ip to 0.0.0.0, some broken nic maybe...

nmap -D 0.0.0.0 ...

ynotssor wrote:
> "Mr. Boy" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ps.com

hello link is not working

> > a crazy theory someone is using iptables postrouting rules to
change
> > packet origin from real ip to 0.0.0.0, some broken nic maybe...
>
> nmap -D 0.0.0.0 ...