Hi, I notice that the kernel is sending out PTR queries for each and every ARP requests that is on the segment. Is this normal or have I been hacked? I have attached a tcpdump snapshot. Note: 1. My system is cm250.gamma223.maxonline.com.sg 2. The DNS server is dns4.maxonline.com.sg. 3. I actually can't see the port 32769 when I do a 'netstat -na' or 'lsof'!!! Please email me directly if you know the answers. Thanks, -PY 04:34:40.165828 arp who-has cm9.gamma211.maxonline.com.sg tell cm1.gamma208.maxonline.com.sg 04:34:40.168894 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21867+ PTR? 9.211.156.202.in-addr.arpa. (44) (DF) 04:34:40.178783 dns4.maxonline.com.sg.domain > cm250.gamma223.maxonline.com.sg.32769: 21867* 1/3/3 PTR cm9.gamma211.maxonline.com.sg. (192) (DF) 04:34:40.179785 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21868+ PTR? 1.208.156.202.in-addr.arpa. (44) (DF) 04:34:40.193246 dns4.maxonline.com.sg.domain > cm250.gamma223.maxonline.com.sg.32769: 21868 1/3/3 PTR cm1.gamma208.maxonline.com.sg. (192) (DF) 04:34:40.194068 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21869+ PTR? 68.1.156.202.in-addr.arpa. (43) (DF) 04:34:40.194513 arp who-has cm47.sigma149.maxonline.com.sg tell cm1.sigma149.maxonline.com.sg 04:34:40.198195 arp who-has cm242.omega24.maxonline.com.sg tell cm1.omega24.maxonline.com.sg 04:34:40.209485 dns4.maxonline.com.sg.domain > cm250.gamma223.maxonline.com.sg.32769: 21869 1/3/3 PTR dns4.maxonline.com.sg. (183) (DF) 04:34:40.210247 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21870+ PTR? 250.223.156.202.in-addr.arpa. (46) (DF) 04:34:40.217234 arp who-has cm104.gamma211.maxonline.com.sg tell cm1.gamma208.maxonline.com.sg 04:34:40.225761 arp who-has cm151.gamma215.maxonline.com.sg tell cm1.gamma208.maxonline.com.sg 04:34:40.226771 dns4.maxonline.com.sg.domain > cm250.gamma223.maxonline.com.sg.32769: 21870 1/3/3 PTR cm250.gamma223.maxonline.com.sg. (196) (DF) 04:34:40.228076 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21871+ PTR? 47.149.212.218.in-addr.arpa. (45) (DF) 04:34:40.238929 dns4.maxonline.com.sg.domain > cm250.gamma223.maxonline.com.sg.32769: 21871 1/3/3 PTR cm47.sigma149.maxonline.com.sg. (194) (DF) 04:34:40.239642 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21872+ PTR? 1.149.212.218.in-addr.arpa. (44) (DF) 04:34:40.250477 dns4.maxonline.com.sg.domain > cm250.gamma223.maxonline.com.sg.32769: 21872 1/3/3 PTR cm1.sigma149.maxonline.com.sg. (192) (DF) 04:34:40.251275 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21873+ PTR? 242.24.186.218.in-addr.arpa. (45) (DF) 04:34:40.263634 dns4.maxonline.com.sg.domain > cm250.gamma223.maxonline.com.sg.32769: 21873 1/3/3 PTR cm242.omega24.maxonline.com.sg. (194) (DF) 04:34:40.264321 cm250.gamma223.maxonline.com.sg.32769 > dns4.maxonline.com.sg.domain: 21874+ PTR? 1.24.186.218.in-addr.arpa. (43) (DF) - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
