In article <(E-Mail Removed) >, Arthur wrote:
>What is the best way of starting to figure out where the problem is,
>so it can be fixed? I have no idea where to look.......
Your original posting on 21 Jul 2004 04:35:59 -0700 showed:
>Jul 21 06:55:22 nitelife kernel: martian source 192.168.0.110 from
>24.208.81.72, on dev eth1
Well, it's on eth1. 24.208.81.72 resolves to CPE-24-208-81-72.neb.rr.com,
but that doesn't tell me anything. It would have helped to know that is
the network and mask on eth1.
>Jul 21 06:55:22 nitelife kernel: ll header:
>00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00
OK, the header has three pieces of information:
00:50:04:6e:54:1a Destination hardware address
00:0c:41:6d:c6:d2 Source ON THE LOCAL WIRE hardware address
08:00 Type = IP Datagram
[compton ~]$ etherwhois 00:50:04
00-50-04 (hex) 3COM CORPORATION
005004 (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
SANTA CLARA CA 95052
UNITED STATES
[compton ~]$ etherwhois 00:0c:41
00-0C-41 (hex) The Linksys Group, Inc.
000C41 (base 16) The Linksys Group, Inc.
17401 Armstrong Ave.
Irvine CA 92614
UNITED STATES
[compton ~]$
The Linksys is probably a router of some kind. The 3Com - they've
got a slew of products, but that prefix is often used with the 3C90X
cards. Do you have one?
>Jul 21 06:55:33 nitelife kernel: martian source 192.168.1.110 from
>192.168.1.100, on dev eth1
>Jul 21 06:55:33 nitelife kernel: ll header:
>ff:ff:ff:ff:ff:ff:00:26:54:0a:bc:2f:08:06
00:26:54 is another 3Com code. ff:ff:ff:ff:ff:ff is a broadcast, and
type 0806 is an ARP request/reply.
>Jul 21 06:55:33 nitelife kernel: martian source 192.168.0.255 from
>192.168.0.110, on dev eth0
>Jul 21 06:55:33 nitelife kernel: ll header:
>ff:ff:ff:ff:ff:ff:00:50:04:6e:54:1a:08:00
Another broadcast - from the first 3C90X.
>Jul 21 06:55:41 nitelife kernel: martian source 192.168.0.110 from
>207.238.164.226, on dev eth1
>Jul 21 06:55:41 nitelife kernel: ll header:
>00:50:04:6e:54:1a:00:0c:41:6d:c6:d2:08:00
Same as the first. The different source IP address suggests the Linksys
is a router with access to the world.
>Jul 21 06:55:44 nitelife kernel: martian source 192.168.0.110 from
>192.168.0.1, on dev eth0
>Jul 21 06:55:44 nitelife kernel: ll header:
>ff:ff:ff:ff:ff:ff:00:0c:41:6d:c6:d2:08:06
Another ARP request
So, what you've shown indicates there are several hosts one the eth1
interface talking on a 192.168.0.0/24 network. I can see three hosts,
though there may be more. One is _probably_ a Linksys router, and it
has a MAC address of 00:0c:41:6d:c6:d2. There are two systems with 3Com
cards - one is _probably_ a 3C90X with a MAC address of 00:50:04:6e:54:1a
and the other is something else with a MAC address of 00:26:54:0a:bc:2f.
How would I get more details? Probably run tcpdump with a fair sized
snaplen (packet capture size), looking for those MAC addresses (but NOT
the IP addresses) outputting to a file. Then look through that, and see
what turns up. With any luck, the 1d10t who owns those boxes will check
his mail - sending username and password in the clear as usual.
But, ah... you'all be careful, ya hear? Sniffing the wire like that
_could_ be illegal, or fattening, or something bad for your health.
They _could_ throw your a*s so far into the slammer that they'd have to
use an echo sounder to find you. You have been warned ;-)
Hope this helps,
Old guy
|
Similar Threads
Linear Mode
