Hi Jan, On Tue, Mar 04, 2014 at 03:02:36AM -0500, Jan Stancek wrote: > > For the broken query, ok, it's your manually crafted query. But > > did you see a query with such a bogus source address "in the > > wild", too? (I'm curious how urgent this sanity check is) > > It's real packet I managed to capture during one such occurrence. > I'm sending it with small C program over raw socket, but it's byte > by byte exact copy of what I captured with tcpdump previously. > > I'm not sure how that packet came to existence. Based on IPv6 address > it came from host B, but all host B was doing at the time > was running RHEL6 with couple qemu-kvm instances. KVM guests were > set up to use bridge, so I'm assuming if any of them crafted > this packet, source IPv6 address would be different. > Ah, okay. Can you check whether it maybe came from the querier code in the Linux bridge on host B? Is "cat /sys/class/net/br0/bridge/multicast_querier" 1? Can you isolate host B and disable any multicast router daemon on it? Then check again, if you still see these queries. What kernel version is running on host B? Cheers, Linus
Attachment:
signature.asc
Description: Digital signature
