strange packets on my lan

frgtn · 04-13-2005, 09:14 AM

Hello,
so i'm asking for your help again. This time the problem is in my lan. I've noticed strange packets dropped by the firewall with source adress set to 0.0.0.0 and destination - 255.255.255.255:

Code:

Apr 12 22:01:50 gw kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:80:48:1a:c1:cf:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=0
PROTO=UDP SPT=68 DPT=67 LEN=308
Apr 12 22:01:54 gw kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:80:48:1a:c1:cf:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=25
6 PROTO=UDP SPT=68 DPT=67 LEN=308
Apr 12 22:02:03 gw kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:80:48:1a:c1:cf:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=51
2 PROTO=UDP SPT=68 DPT=67 LEN=308

There are ussualy 3 packets in a row with 3-10 second delay between them. Then there's a longer delay and 3 packets again. And so on and on...

Does anyone know what software could send these packets?

And one more thing - i've tried to log all packets from that mac adress, but i don't know if altered it correctly, since iptables and other stuff takes 6 byte adress and the one in my logs is messy:

Code:

$IPT -A INPUT -i $INTIF -m mac --mac-source 00:80:48:1a:c1:cf -j LOG

Capt_Caveman · 04-13-2005, 10:41 PM

First off, they are broadcast packets and if you look at the ports, the source port is 68 (bootpc or bootp client) and the destination port is 67 (bootps or bootp server). Bootp is is a network protocol designed to allow client machines to get an IP from a bootp server, simililar to dhcp (in fact bootp is often part of a dhcp service). So what you're seeing is a client machine querying a bootp/dhcp server (since it doesn't know the IP of the server it has to use the broadcast and since it doesn't have an IP yet it can't use it's own as the source IP and uses 0.0.0.0 instead). I'm guessing it's not getting any replies and keeps on querying.

You can figure out what machine it's coming from by looking at the MAC address 00:80:48:1a:c1:cf which you correctly picked out (ff:ff:ff:ff:ff:ff is the broadcast address and the last two fields 08:00 is the ethertype which is tcp/ip). The ttl is 128 which would indicate two things, that the machine is part of the same network or in close proximity (it didn't make any hops on the way to your machine) and that it's likely a windows box (linux uses 64 as the default ttl). Try dumping the arp table of the firewall and see if that MAC address is there, if not you might be able to cheat and ping the broadcast address, then check the arp table. If it's still not in there, you may need to manual look at the MAC address of the machines on your network.

If the traffic is originating off the internet outside of your network and you are using some kind of shared subscriber access line (like cable broadband), then it's entirely possible that it's originating from one of your neighbors with a misconfigured machine.

Hope that helps.

frgtn · 04-14-2005, 02:31 PM

Thanks for help. The actual problem was a person from my lan had bought a new pc and didn't configure the network part. So everytime he turned on the machine it would send those packets as windows uses dhcp by default. It only occurred to me when another person called my from my lan saying he's at the the pc owner's place and can't see the gateway :]. Hopefully i'l learn from my mistakes and won't do the same stuff the next time :]