LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Unknown Netbios Packets to Unknown Network (https://www.linuxquestions.org/questions/linux-networking-3/unknown-netbios-packets-to-unknown-network-584565/)

fukawi2 09-13-2007 10:28 PM
Unknown Netbios Packets to Unknown Network
 
Since learning how to use tcpdump (:D), I've found 2 of my RedHat ES4 servers sending packets out to somewhere that doesn't exist...

Here's the packets in question:
Code:
[root@kiama ~]# tcpdump -lnv -i eth0 dst net 192.168.0.0/16
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:23:38.745953 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4435: S [tcp sum ok] 1994118483:1994118483(0) ack 1317473920 win 5840 <mss 1460,nop,nop,sackOK>
13:23:39.745925 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4432: S [tcp sum ok] 2002172843:2002172843(0) ack 2450289969 win 5840 <mss 1460,nop,nop,sackOK>
13:23:44.761020 IP (tos 0xc0, ttl  64, id 29752, offset 0, flags [none], proto 1, length: 104) 172.20.0.3 > 192.168.0.1: icmp 84: 172.20.0.3 udp port ntp unreachable
13:23:44.761109 IP (tos 0xc0, ttl  64, id 44297, offset 0, flags [none], proto 1, length: 104) 172.20.0.3 > 192.168.139.1: icmp 84: 172.20.0.3 udp port ntp unreachable
13:23:50.944538 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4435: S [tcp sum ok] 1994118483:1994118483(0) ack 1317473920 win 5840 <mss 1460,nop,nop,sackOK>
13:23:51.744092 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4432: S [tcp sum ok] 2002172843:2002172843(0) ack 2450289969 win 5840 <mss 1460,nop,nop,sackOK>

6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@kiama ~]#
Our local network is 172.20.0.0/18 and we have VPN links to several other sites, all in the 172.x range, and one VPN tunnel to a 192.168.1.x network.

192.168.254.100, 192.168.0.1 and 192.168.139.1 are all hosts that do not exist, and have never existed, anywhere in our network.

Anyone got any ideas what these are? I'm guessing something to do with Samba at the moment, which is running on both machines...

au_hank 09-15-2007 07:02 AM
have you ever seen packages with source address of 192.168.254.100, 192.168.0.1 and 192.168.139.1 ?

it looks like these addresses are fabricated

fukawi2 09-17-2007 06:41 PM
No, never seen any packets with that source... This is a pretty small network (around 100 devices, less than 80 users) so we keep a pretty tight eye over everything.


All times are GMT -5. The time now is 12:49 AM.