From owner-freebsd-hackers@FreeBSD.ORG Fri Aug 10 14:47:37 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E5C68106564A for ; Fri, 10 Aug 2012 14:47:36 +0000 (UTC) (envelope-from kuku@kukulies.org) Received: from kukulies.org (mail.kukulies.org [78.47.239.221]) by mx1.freebsd.org (Postfix) with ESMTP id 77F618FC0A for ; Fri, 10 Aug 2012 14:47:36 +0000 (UTC) Received: by kukulies.org (Postfix, from userid 5001) id 65E921AD860; Fri, 10 Aug 2012 16:47:35 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on kukulies.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED autolearn=ham version=3.3.2 Received: from [172.27.4.215] (unknown [87.79.34.228]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by kukulies.org (Postfix) with ESMTPSA id 892EF1AD85F for ; Fri, 10 Aug 2012 16:47:32 +0200 (CEST) Message-ID: <50251F03.4050400@kukulies.org> Date: Fri, 10 Aug 2012 16:47:31 +0200 From: "Christoph P.U. Kukulies" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: strange things happening with ping - am I hacked? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 14:47:37 -0000 I have some machines in a companys' network that are interconnected with a piece of coaxial cable (ethernet 10base2). This trunk goes through a switch that acts also as a media converter and connects to the Internet router. For a while now I'm having trouble with this 10base2 trunk and I dropped in another FreeBSD machine to move the services I'm running to the newer (9.0) machine. At the moment the two FreeBSD boxes (one 9.0, the other 5.1) are on the net. Both have a DIVERT kernel and act as gateways between the in house network and the Internet (natd). Now strange things happen: When I ping from the 9.0 machine to another machine (a Windows XP) in the network, I don't get an immediate response from the ping but after some, day 20s or so I get: (I prefer to not use the real addresses in the source or destination) forum2# ping 80.90.34.226 forum2# tcpdump -i ed0 -l ip proto ICMP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ed0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id 50777, seq 49408, length 8 or: 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id 50777, seq 49408, length 8 16:17:01.920480 IP 80.90.34.228 > 203.178.148.19: ICMP echo reply, id 9061, seq 48393, length 8 ^C 2 packets captured 473 packets received by filter 0 packets dropped by kernel Doing the same ping from the 5.1 box (pretty sure it hasn't got to do with the OS versions), gives an echo reply immediately from the target address I pinged. So why does there come an echo reply from machines on the net which seem to exist and even have names like pinger-j2.ant.isi.edu or pinger6.netsec.colostate.edu? Does there some packet redirection take place? -- Christoph Kukulies