Member
Registered: Sep 2007
Location: Folsom, California
Distribution: Ubuntu, Mint, Debian, Suse
Posts: 307
Original Poster
Rep:
|
I don't yet have an e-mail application on this system (except for internal system mail).
Thanks for the tip of tcpdump.
Here is some of the tcpdump:
13:49:23.081402 IP (tos 0x0, ttl 127, id 65463, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:49:23.081651 IP (tos 0x0, ttl 127, id 65464, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:49:23.081838 IP (tos 0x0, ttl 128, id 22824, offset 0, flags [DF], proto: UDP (17), length: 74) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 56129+ PTR? 250.255.255.239.in-addr.arpa. (46)
13:49:23.081902 IP (tos 0x0, ttl 127, id 65465, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:49:23.082525 IP (tos 0x0, ttl 127, id 65466, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:49:23.083398 IP (tos 0x0, ttl 127, id 65467, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:49:23.083649 IP (tos 0x0, ttl 127, id 65468, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:49:23.084273 IP (tos 0x0, ttl 127, id 65469, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:49:23.085023 IP (tos 0x0, ttl 127, id 65470, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:49:23.085272 IP (tos 0x0, ttl 127, id 65471, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:49:23.085897 IP (tos 0x0, ttl 127, id 65472, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:49:23.086771 IP (tos 0x0, ttl 127, id 65473, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:49:23.087021 IP (tos 0x0, ttl 127, id 65474, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:49:23.087645 IP (tos 0x0, ttl 127, id 65475, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:49:28.081210 arp who-has 192.168.0.1 tell 192.168.0.121
13:49:28.081235 IP (tos 0x0, ttl 128, id 22825, offset 0, flags [DF], proto: UDP (17), length: 74) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 56129+ PTR? 250.255.255.239.in-addr.arpa. (46)
13:49:28.081401 arp reply 192.168.0.1 is-at 00:15:e9:1d:98:c6 (oui Unknown)
13:49:28.286781 IP (tos 0x0, ttl 51, id 38154, offset 0, flags [DF], proto: UDP (17), length: 74) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 56129 ServFail q: PTR? 250.255.255.239.in-addr.arpa. 0/0/0 (46)
13:49:28.286905 IP (tos 0x0, ttl 128, id 24125, offset 0, flags [DF], proto: UDP (17), length: 70) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 28539+ PTR? 1.0.168.192.in-addr.arpa. (42)
13:49:28.336880 IP (tos 0x0, ttl 51, id 38259, offset 0, flags [DF], proto: UDP (17), length: 70) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 28539 NXDomain q: PTR? 1.0.168.192.in-addr.arpa. 0/0/0 (42)
13:49:28.336943 IP (tos 0x0, ttl 128, id 24138, offset 0, flags [DF], proto: UDP (17), length: 72) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 10496+ PTR? 121.0.168.192.in-addr.arpa. (44)
13:49:28.351244 IP (tos 0x0, ttl 56, id 8988, offset 0, flags [DF], proto: UDP (17), length: 72) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 10496 NXDomain q: PTR? 121.0.168.192.in-addr.arpa. 0/0/0 (44)
13:49:28.430324 IP (tos 0x0, ttl 57, id 9515, offset 0, flags [DF], proto: UDP (17), length: 74) sjos-cns03.sanjose.ca.sanfran.comcast.net.domain > 192.168.0.121.32771: [udp sum ok] 56129 ServFail q: PTR? 250.255.255.239.in-addr.arpa. 0/0/0 (46)
13:49:28.430396 IP (tos 0x0, ttl 128, id 24161, offset 0, flags [DF], proto: UDP (17), length: 71) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 21560+ PTR? 181.76.87.68.in-addr.arpa. (43)
13:49:28.478046 IP (tos 0x0, ttl 51, id 38536, offset 0, flags [DF], proto: UDP (17), length: 126) 192.168.0.1.domain > 192.168.0.121.32771: 21560 q: PTR? 181.76.87.68.in-addr.arpa. 1/0/0 181.76.87.68.in-addr.arpa. (98)
13:49:43.082144 IP (tos 0x0, ttl 127, id 65482, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:49:43.082393 IP (tos 0x0, ttl 127, id 65483, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:49:43.082643 IP (tos 0x0, ttl 127, id 65484, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:49:43.083267 IP (tos 0x0, ttl 127, id 65485, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:49:43.084142 IP (tos 0x0, ttl 127, id 65486, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:49:43.084392 IP (tos 0x0, ttl 127, id 65487, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:49:43.085017 IP (tos 0x0, ttl 127, id 65488, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:49:43.085766 IP (tos 0x0, ttl 127, id 65489, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:49:43.086016 IP (tos 0x0, ttl 127, id 65490, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:49:43.086641 IP (tos 0x0, ttl 127, id 65491, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:49:43.087516 IP (tos 0x0, ttl 127, id 65492, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:49:43.087765 IP (tos 0x0, ttl 127, id 65493, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:49:43.088390 IP (tos 0x0, ttl 127, id 65494, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:49:51.313160 arp who-has 192.168.0.75 (25:54:c0:a8:c0:a8 (oui Unknown)) tell 192.168.0.1
13:49:51.313297 IP (tos 0x0, ttl 128, id 29882, offset 0, flags [DF], proto: UDP (17), length: 71) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 15756+ PTR? 75.0.168.192.in-addr.arpa. (43)
13:49:51.327401 IP (tos 0x0, ttl 56, id 34955, offset 0, flags [DF], proto: UDP (17), length: 71) 192.168.0.1.domain > 192.168.0.121.32771: [udp sum ok] 15756 NXDomain q: PTR? 75.0.168.192.in-addr.arpa. 0/0/0 (43)
13:50:03.083141 IP (tos 0x0, ttl 127, id 65495, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:50:03.083387 IP (tos 0x0, ttl 127, id 65496, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:50:03.083637 IP (tos 0x0, ttl 127, id 65497, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:50:03.084261 IP (tos 0x0, ttl 127, id 65498, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:50:03.085011 IP (tos 0x0, ttl 127, id 65499, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:50:03.085261 IP (tos 0x0, ttl 127, id 65500, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:50:03.085885 IP (tos 0x0, ttl 127, id 65501, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:50:03.086761 IP (tos 0x0, ttl 127, id 65502, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:50:03.087010 IP (tos 0x0, ttl 127, id 65503, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:50:03.087635 IP (tos 0x0, ttl 127, id 65504, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:50:03.088384 IP (tos 0x0, ttl 127, id 65505, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:50:03.088634 IP (tos 0x0, ttl 127, id 65506, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:50:03.089258 IP (tos 0x0, ttl 127, id 65507, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:50:22.628896 IP (tos 0x0, ttl 128, id 37712, offset 0, flags [DF], proto: UDP (17), length: 68) 192.168.0.121.32771 > 192.168.0.1.domain: [udp sum ok] 19041+ TXT? current.cvd.clamav.net. (40)
13:50:22.732461 IP (tos 0x0, ttl 51, id 15105, offset 0, flags [DF], proto: UDP (17), length: 108) 192.168.0.1.domain > 192.168.0.121.32771: 19041 q: TXT? current.cvd.clamav.net. 1/0/0 current.cvd.clamav.net. TXT[|domain]
13:50:23.084010 IP (tos 0x0, ttl 127, id 65508, offset 0, flags [none], proto: UDP (17), length: 280) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 252
13:50:23.084255 IP (tos 0x0, ttl 127, id 65509, offset 0, flags [none], proto: UDP (17), length: 298) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 270
13:50:23.084506 IP (tos 0x0, ttl 127, id 65510, offset 0, flags [none], proto: UDP (17), length: 352) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 324
13:50:23.085130 IP (tos 0x0, ttl 127, id 65511, offset 0, flags [none], proto: UDP (17), length: 344) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 316
13:50:23.085879 IP (tos 0x0, ttl 127, id 65512, offset 0, flags [none], proto: UDP (17), length: 274) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 246
13:50:23.086129 IP (tos 0x0, ttl 127, id 65513, offset 0, flags [none], proto: UDP (17), length: 316) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 288
13:50:23.086754 IP (tos 0x0, ttl 127, id 65514, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 320
13:50:23.087628 IP (tos 0x0, ttl 127, id 65515, offset 0, flags [none], proto: UDP (17), length: 294) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 266
13:50:23.087878 IP (tos 0x0, ttl 127, id 65516, offset 0, flags [none], proto: UDP (17), length: 346) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 318
13:50:23.088502 IP (tos 0x0, ttl 127, id 65517, offset 0, flags [none], proto: UDP (17), length: 340) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 312
13:50:23.089252 IP (tos 0x0, ttl 127, id 65518, offset 0, flags [none], proto: UDP (17), length: 272) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 244
13:50:23.089503 IP (tos 0x0, ttl 127, id 65519, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 287
13:50:23.090127 IP (tos 0x0, ttl 127, id 65520, offset 0, flags [none], proto: UDP (17), length: 345) 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length 317
13:50:27.632331 arp who-has 192.168.0.1 tell 192.168.0.121
13:50:27.632520 arp reply 192.168.0.1 is-at 00:15:e9:1d:98:c6 (oui Unknown)
Just about a minutes worth.
I'm thinking maybe dhcpd? I also have bind9 and a samba server.
Samba is setup to only use eth1 (which isn't being logged here) and there isn't another PC connected to the server at this moment. I do have a router with 2 linux boxes (including this one) and a Windows XP box connected. Am I getting 'noise' from the windows box?
No PC is currently setup to talk to this machine for samba or any other type of service... that I know of.
I tried to ping 239.255.255.250 with 0 results. I really don't know where else to look or how to go about it. I have tried looking at the syslog for dhcpd messages. I then attempted to edit syslog.conf to separate dhcpd into its own log. So far I haven't seen a log file get made for dhcpd - don't know if it is because of incorrect syslog.conf or just nothing has happend. It has only been about 30 minutes after I have done that tho.
Thank you in advance for any advice.
P.S. I did see google hit this box once previously. It prolly happend because my other linux box has a webpage on it. Google likely just hit my ip address looking around and some got through to this one. It shouldn't have however, because the router is set to only forward those ports to the other box. I do have a firewall running - but it was a self-done job.
|