Re: Strange logs...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sunday 11 January 2004 12:41 pm, Carlos Fernandez Sanz wrote:

> > The fact that the MAC address is correct means that the packet has surely
> > come from the Windows machine, and has not come through any other router
> > (because if it had, it would have the IP address of the Windows box and
> > the MAC address of the router).
>
> Yes. I'm playing a bit more with this, and after adding a "--match
> mac --mac-source" rule, I started seeing the packets being dropped by the
> input policy (which is obviously drop). Once I added the same "saving by
> MAC" rule, everything works fine (except my conscience).

Well, that's good progress.

> > It would be good to try running tcpdump or ethereal on the netfilter
> > machine, so that when a log entry such as this appears, you can check the
> > tcpdump or ethereal log and see if it agrees that the packet really did
> > only come in on eth1.
>
> How reliable is ethereal? I mean, does it see packets as they come from the
> wire or after they have been touched by netfilter?

Ethereal and tcpdump will both see packets off the wire before they get to 
netfilter.   Remember that these packet capturing programs and not 
IP-specific; they will show you ethernet, IPX, LAT, all sort of things, if 
they only come past the interface...

> I've seen some packets already:
>
> Jan 11 13:28:53 fulanito kernel: [IPTABLES MAC INPUT] : IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:77:a9:92:08:00 SRC=192.168.20.5
> DST=192.168.20.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=16661 PROTO=UDP
> SPT=137 DPT=137 LEN=58
>
> That packet shows up in ethereal as well (everything matches). However all
> packets seen so far in both ethereal and the logs (4) are for broadcasts

That's normal for Windows networking :)

> (still, is that possible? How could a packet generated by the windows box,
> which isn't connected to eth1, end up there?).

That's the one bit I can't think of an explanation for.   You don't have 
anything exotic like bridging or vlans enabled in your kernel do you?

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux