On Thu, 24 Oct 2002 08:39:17 +0200 Olaf Kirch <okir@suse.de> wrote:
On Thu, Oct 24, 2002 at 07:48:58AM +0200, Grosswiler Roger wrote:
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress..
What makes you think so? The kernel logs the low-level header, which, in this case, is an Ethernet header. An Ethernet header looks like this:
6 bytes of destination MAC. A MAC of all ones is the Ethernet broadcast address. 6 bytes of source MAC. 00:09:7b:8d:08:54 in this case 2 bytes of either packet length for LLC and all thast garbage, or a packet type. 0x800 is the packet type for IP.
All you need to do is find the host on your networks that has an Ethernet card with said MAC address.
One possible explanation for this case of Martians may be that you have a machine with two network cards connected to the same physical network; either by design or accident. Which would explain why the kernel printk is only triggered by broadcasts.
My guess is that this is more of a misconfiguration issue than a security related problem.
I get this logs from machines with virtual interfaces (eth0:1). The box uses often the eth0:0 address insteed of the address from eth0:1 -- andy