What is this bootps message?
On SuSE 9.0 running the IP Traffic I see this message quite frequently: UDP (350 bytes) from 10.54.64.1 bootps to 255.255.255.255:bootpc on eth0. What is going on? Tnx, Richard
Richard Atcheson wrote:
On SuSE 9.0 running the IP Traffic I see this message quite frequently: UDP (350 bytes) from 10.54.64.1 bootps to 255.255.255.255:bootpc on eth0.
What is going on? Tnx, Richard
Description: bootpc is the bootp client for Linux that will allow a linux machine to retrieve it's networking information from a server via the network. It sends out a general broadcast asking for the information which is returned. It's a broadcast request from 10.54.64.1 looking for a boot server which will issue it with its network configuration and also a boot image. Normally this comes from a diskless client -- it has to have a NIC with a prom that's programmed to initiate the action. I don't know if such a NIC is installed if it tries to boot from the network first and then checks for a local boot device. Regards Sid. -- Sid Boyce .... Hamradio G3VBV and keen Flyer Linux Only Shop.
On Wednesday 31 December 2003 11:29 pm, Sid Boyce wrote:
Richard Atcheson wrote:
On SuSE 9.0 running the IP Traffic I see this message quite frequently: UDP (350 bytes) from 10.54.64.1 bootps to 255.255.255.255:bootpc on eth0.
What is going on? Tnx, Richard
Description: bootpc is the bootp client for Linux that will allow a linux machine to retrieve it's networking information from a server via the network. It sends out a general broadcast asking for the information which is returned. It's a broadcast request from 10.54.64.1 looking for a boot server which will issue it with its network configuration and also a boot image. Normally this comes from a diskless client -- it has to have a NIC with a prom that's programmed to initiate the action. I don't know if such a NIC is installed if it tries to boot from the network first and then checks for a local boot device. Regards Sid.
Ok I think I understand its purpose but I have no idea why it is appearing on my eth0 which is my connection to the cable modem. Is this an attempt to break into my machine?? My subnet is 192.168.1.0/24 I have no idea where the 10.0.0. stuf is coming from . Richard
Richard Atcheson wrote:
On Wednesday 31 December 2003 11:29 pm, Sid Boyce wrote:
Richard Atcheson wrote:
On SuSE 9.0 running the IP Traffic I see this message quite frequently: UDP (350 bytes) from 10.54.64.1 bootps to 255.255.255.255:bootpc on eth0.
Description: bootpc is the bootp client for Linux that will allow a linux machine to retrieve it's networking information from a server via the network. It sends out a general broadcast asking for the information which is returned. It's a broadcast request from 10.54.64.1 looking for a boot server which will issue it with its network configuration and also a boot image. Normally this comes from a diskless client -- it has to have a NIC with a prom that's programmed to initiate the action. I don't know if such a NIC is installed if it tries to boot from the network first and then checks for a local boot device.
Actually, it is a reply from bootp/dhcp server to a bootp/dhcp client. Both bootp and dhcp use the same ports for clients and servers. These days bootp is rarely used, so I would bet on it being dhcp traffic. As for the reasons why the bootp/dhcp server broadcast its reply there are several which are described in RFC1542 (chapter 5.4).
Ok I think I understand its purpose but I have no idea why it is appearing on my eth0 which is my connection to the cable modem. Is this an attempt to break into my machine?? My subnet is 192.168.1.0/24 I have no idea where the 10.0.0. stuf is coming from .
It's probably not a break-in attempt, but who's to say? It's hard to give any definitive answers without more details. Now, I am not 100% sure of the cable modem technology (although I used to have one myself), but isn't cable modem a shared medium just the same as ethernet is? In that case, what you are seeing is probably someone else's home network traffic. Most likely he/she has a ethernet hub or switch connected to his/hers cable modem, so all broadcast traffic in his/hers home network is also transmitted over the cable modem for your viewing pleasure :) -- Martti Laaksonen
Richard Atcheson wrote:
On Wednesday 31 December 2003 11:29 pm, Sid Boyce wrote:
Richard Atcheson wrote:
On SuSE 9.0 running the IP Traffic I see this message quite frequently: UDP (350 bytes) from 10.54.64.1 bootps to 255.255.255.255:bootpc on eth0.
What is going on? Tnx, Richard
Description: bootpc is the bootp client for Linux that will allow a linux machine to retrieve it's networking information from a server via the network. It sends out a general broadcast asking for the information which is returned. It's a broadcast request from 10.54.64.1 looking for a boot server which will issue it with its network configuration and also a boot image. Normally this comes from a diskless client -- it has to have a NIC with a prom that's programmed to initiate the action. I don't know if such a NIC is installed if it tries to boot from the network first and then checks for a local boot device. Regards Sid.
Ok I think I understand its purpose but I have no idea why it is appearing on my eth0 which is my connection to the cable modem. Is this an attempt to break into my machine?? My subnet is 192.168.1.0/24 I have no idea where the 10.0.0. stuf is coming from . Richard
Whilst I was in the States and trying to connect using my brother's cable modem, I could see lots of network traffic using ethereal - none of it was local, it looked like the cable modem was passing on whatever it saw on the external connection. I don't see that at home, possibly because I'm behind a firewall (using an old Cyrix M200/16M with BBIagent floppy). It's possible someone could be sending those requests to see if they can get an answer and a connection to vulnerable machines, that would be a neat way of being a trojan host on a network. Regards Sid. -- Sid Boyce .... Hamradio G3VBV and keen Flyer Linux Only Shop.
Sid Boyce wrote:
Richard Atcheson wrote:
On SuSE 9.0 running the IP Traffic I see this message quite frequently: UDP (350 bytes) from 10.54.64.1 bootps to 255.255.255.255:bootpc on eth0. What is going on? Tnx, Richard ...snip! Ok I think I understand its purpose but I have no idea why it is appearing on my eth0 which is my connection to the cable modem. Is
On Wednesday 31 December 2003 11:29 pm, Sid Boyce wrote: this an attempt to break into my machine?? My subnet is 192.168.1.0/24 I have no idea where the 10.0.0. stuf is coming from . Richard Whilst I was in the States and trying to connect using my brother's cable modem, I could see lots of network traffic using ethereal - none of it was local, it looked like the cable modem was passing on whatever it saw on the external connection. I don't see that at home, possibly because I'm behind a firewall (using an old Cyrix M200/16M with BBIagent floppy). It's possible someone could be sending those requests to see if
Richard Atcheson wrote: they can get an answer and a connection to vulnerable machines, that would be a neat way of being a trojan host on a network. Regards Sid.
As someone described in another thread, cable is like a party line so the data stream includes stuff that isn't for you. Perhaps you are just seeing activity that belongs to adownstream or upstream user? Just guessing ... doc -- "Wars and rumors of wars, disasters, and social decay, yet undaunted for love and peace we pray." dmc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
participants (4)
-
Colburn
-
Martti Laaksonen
-
Richard Atcheson
-
Sid Boyce