Linux - Networking This forum is for any issue related to networks or networking.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
#1
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448
Rep:
Unknown Netbios Packets to Unknown Network
Since learning how to use tcpdump (
), I've found 2 of my RedHat ES4 servers sending packets out to somewhere that doesn't exist...
Here's the packets in question:
Code:
[root@kiama ~]# tcpdump -lnv -i eth0 dst net 192.168.0.0/16
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:23:38.745953 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4435: S [tcp sum ok] 1994118483:1994118483(0) ack 1317473920 win 5840 <mss 1460,nop,nop,sackOK>
13:23:39.745925 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4432: S [tcp sum ok] 2002172843:2002172843(0) ack 2450289969 win 5840 <mss 1460,nop,nop,sackOK>
13:23:44.761020 IP (tos 0xc0, ttl 64, id 29752, offset 0, flags [none], proto 1, length: 104) 172.20.0.3 > 192.168.0.1: icmp 84: 172.20.0.3 udp port ntp unreachable
13:23:44.761109 IP (tos 0xc0, ttl 64, id 44297, offset 0, flags [none], proto 1, length: 104) 172.20.0.3 > 192.168.139.1: icmp 84: 172.20.0.3 udp port ntp unreachable
13:23:50.944538 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4435: S [tcp sum ok] 1994118483:1994118483(0) ack 1317473920 win 5840 <mss 1460,nop,nop,sackOK>
13:23:51.744092 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 172.20.0.3.netbios-ssn > 192.168.254.100.4432: S [tcp sum ok] 2002172843:2002172843(0) ack 2450289969 win 5840 <mss 1460,nop,nop,sackOK>
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@kiama ~]#
Our local network is 172.20.0.0/18 and we have VPN links to several other sites, all in the 172.x range, and one VPN tunnel to a 192.168.1.x network.
192.168.254.100, 192.168.0.1 and 192.168.139.1 are all hosts that do not exist, and have never existed, anywhere in our network.
Anyone got any ideas what these are? I'm guessing something to do with Samba at the moment, which is running on both machines...
#2
LQ Newbie
Registered: Sep 2007
Posts: 17
Rep:
have you ever seen packages with source address of 192.168.254.100, 192.168.0.1 and 192.168.139.1 ?
#3
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448
Original Poster
Rep:
No, never seen any packets with that source... This is a pretty small network (around 100 devices, less than 80 users) so we keep a pretty tight eye over everything.
Thread Tools
Search this Thread
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
All times are GMT -5. The time now is 01:45 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
), I've found 2 of my RedHat ES4 servers sending packets out to somewhere that doesn't exist...
