Date: Fri, 10 Aug 2012 16:28:12 +0100 From: Bob Bishop <rb@gid.co.uk> To: "Christoph P.U. Kukulies" <kuku@kukulies.org> Cc: freebsd-hackers@freebsd.org Subject: Re: strange things happening with ping - am I hacked? Message-ID: <1668355C-7597-4878-9D0B-164B051E1CA7@gid.co.uk> In-Reply-To: <50251F03.4050400@kukulies.org> References: <50251F03.4050400@kukulies.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On 10 Aug 2012, at 15:47, Christoph P.U. Kukulies wrote: > I have some machines in a companys' network that are interconnected > with a piece of coaxial cable (ethernet 10base2). This trunk goes = through a > switch that acts also as a media converter and connects to the = Internet router. >=20 > For a while now I'm having trouble with this 10base2 trunk It might just be packets getting corrupted, just a few replies get back = with address field corruption.=20 > and I dropped in another FreeBSD > machine to move the services I'm running to the newer (9.0) machine. > At the moment the two FreeBSD boxes (one 9.0, the other 5.1) are on = the net. > Both have a DIVERT kernel and act as gateways between the in house = network and the Internet (natd). >=20 > Now strange things happen: > When I ping from the 9.0 machine to another machine (a Windows XP) in = the network, > I don't get an immediate response from the ping but after some, day = 20s or so I get: >=20 > (I prefer to not use the real addresses in the source or destination) > forum2# ping 80.90.34.226 > forum2# tcpdump -i ed0 -l ip proto ICMP > tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode > listening on ed0, link-type EN10MB (Ethernet), capture size 65535 = bytes > 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id = 50777, seq 49408, length 8 >=20 > or: >=20 > 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id = 50777, seq 49408, length 8 > 16:17:01.920480 IP 80.90.34.228 > 203.178.148.19: ICMP echo reply, id = 9061, seq 48393, length 8 > ^C > 2 packets captured > 473 packets received by filter > 0 packets dropped by kernel >=20 > Doing the same ping from the 5.1 box (pretty sure it hasn't got to do = with the OS versions), > gives an echo reply immediately from the target address I pinged. >=20 > So why does there come an echo reply from machines on the net which = seem to exist and > even have names like pinger-j2.ant.isi.edu or = pinger6.netsec.colostate.edu? >=20 > Does there some packet redirection take place? > -- > Christoph Kukulies > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to = "freebsd-hackers-unsubscribe@freebsd.org" >=20 -- Bob Bishop +44 (0)118 940 1243 rb@gid.co.uk fax +44 (0)118 940 1295 mobile +44 (0)783 626 4518
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1668355C-7597-4878-9D0B-164B051E1CA7>