* Hella.Breitkopf@varetis.de wrote on Fri, Apr 20, 2001 at 20:16 +0200:
mash@myfuckingnet.com on Thu, Apr 19, 2001 at 10:41 +0200 had found the martians in his log files:
Apr 18 12:04:38 server kernel: martian source c799fea9 for c799fea9, dev eth0
Steffen Dettmer <steffen@dett.de> had some perl code to decode this:
* Hella.Breitkopf@varetis.de wrote on Fri, Apr 20, 2001 at 20:16 +0200 had thesis about that:
[THESIS 1] So are there two possibilities to write hex IP addresses and the found "martians" in the log files are written backwards (right to left)
I think that's it, and that's why the scripts is like is it. I wrote it when I got a martian from 192.168.1.255. But maybe this came from 255.1.168.192 - but this looks not familar... But I have never confirmed hat or whatever. The script may be wrong. Look at the kernel sources if unsure.
I haven't found any prove for one of these thesises - but would be very interested in resources proving one of the two.
ok, then let's look for proves - kernel sources. A find |> grep gives first hint to ipv4/route.c. There are some macors for testing. Of course that macros need to have the same idea of the order. Well, i.e.: #define LOOPBACK(x) (((x) & htonl(0xff000000)) == htonl(0x7f000000)) htonl() converts to network byte order. "route.c" uses network byte order. The martian source is in network byte order. Now let's take a look at
fffffea9 = 169.254.255.255
via C "inet_ntoa" (network order to ASCII): printf("ntoa(fffffea9) = %s\n", inet_ntoa(0xfffffea9)); which produdes: ntoa(fffffea9) = 169.254.255.255 (same as the perl script). (Just a word to perl: perl -e 'use Socket; print inet_ntoa(pack('L',0xfffffea9)), "\n"'; works too, and produces the same output :)) But back to security. You told:
ff ff fe a9 is in my universe (if read from left to right) = 255.255.254.169
which makes me assume that 169.254.255.255 is not. A whois shows quickly: Netname: LINKLOCAL hum! Such a funny thing. But who should recognize LINKLOCAL in hex and network byte order! :) funny :) :) So maybe there's some Win host getting bored and sending junk... To learn more about link local, use your favorite search engine. I've forgotten the story. As I told, check for move laptops and such things. Have a nice weekend! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.