Re: [SLE] Problem with W2003 Server causing Martian source...filling logs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 08 June 2006 05:55, you wrote:
The quickest way would be to run a network trace, for example ethereal, until you've captured a few of these packets. Then you can see what it's trying to do, and that should give some idea about what's going on
That is what I have been trying to do. I do not see any real clue as what is sending it.
Do you see the martian address in the traces? If so, could you post some details, like what ports the martian address tries to use?
I am seeing this a lot. Always the same, just time is changing. It was
the first 1-5 of what I captured.
No. Time Source Destination Protocol
Info
2 0.613500 192.168.30.32 Broadcast ARP
Who has 192.168.30.32? Gratuitous ARP
Frame 2 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 192.168.30.32 (00:0e:0c:4a:83:11), Dst: Broadcast
(ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request/gratuitous ARP)
- --
Boyd Gerber
On Thursday 08 June 2006 06:32, Boyd Lynn Gerber wrote:
I am seeing this a lot. Always the same, just time is changing. It was the first 1-5 of what I captured.
No. Time Source Destination Protocol Info 2 0.613500 192.168.30.32 Broadcast ARP Who has 192.168.30.32? Gratuitous ARP Frame 2 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 192.168.30.32 (00:0e:0c:4a:83:11), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request/gratuitous ARP)
OK, I was hoping to see some actual attempt at using a service, so we could deduce what it was that was running, but we can't have everything It appears to be quite simple: that machine is configured to use the 192.168.30.32 address. Gratuitous ARP is what a machine sends out when it's set to use a certain IP and wants to make sure no one else is using it already. So either it's just misconfigured totally, or it's set up to use multiple IP addresses (does it have two network cards with one left unconfigured, perhaps? Or some setup involving virtual network cards or aliases?) I'd suggest the admin of that windows box needs to look again at his settings. Assuming 00:0e:0c:4a:83:11 is the MAC address of that machine, this LAN trace proves that the machine is using (or trying to use) that IP as its address -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 08 June 2006 06:32, Boyd Lynn Gerber wrote:
I am seeing this a lot. Always the same, just time is changing. It was the first 1-5 of what I captured.
No. Time Source Destination Protocol Info 2 0.613500 192.168.30.32 Broadcast ARP Who has 192.168.30.32? Gratuitous ARP Frame 2 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 192.168.30.32 (00:0e:0c:4a:83:11), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request/gratuitous ARP)
OK, I was hoping to see some actual attempt at using a service, so we could deduce what it was that was running, but we can't have everything
It appears to be quite simple: that machine is configured to use the 192.168.30.32 address.
Gratuitous ARP is what a machine sends out when it's set to use a certain IP and wants to make sure no one else is using it already.
So either it's just misconfigured totally, or it's set up to use multiple IP addresses (does it have two network cards with one left unconfigured, perhaps? Or some setup involving virtual network cards or aliases?)
I'd suggest the admin of that windows box needs to look again at his settings. Assuming 00:0e:0c:4a:83:11 is the MAC address of that machine, this LAN trace proves that the machine is using (or trying to use) that IP as its address
That is the mac address of the win 2003 Server. After over 200 of exactly
the same above. I finally got one that was a little different.
No. Time Source Destination Protocol
Info
270 5.620763 192.168.30.32 Broadcast ARP
Who has 192.168.2.87? Tell 192.168.2.160
Frame 270 (106 bytes on wire, 106 bytes captured)
Ethernet II, Src: 192.168.30.32 (00:0e:0c:4a:83:11), Dst: Broadcast
(ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Thanks, I will send the Win Admin an other request.
- --
Boyd Gerber
participants (2)
-
Anders Johansson -
Boyd Lynn Gerber