Date: Mon, 23 Oct 2000 15:25:02 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Kirk Brogdon <kirk@alaptech.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd / tcpdump diag question Message-ID: <20001023152502.M75251@149.211.6.64.reflexcom.com> In-Reply-To: <20001023131959.A212@bsd1.alaptech.com>; from kirk@alaptech.com on Mon, Oct 23, 2000 at 01:19:59PM -0800 References: <20001023131959.A212@bsd1.alaptech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 23, 2000 at 01:19:59PM -0800, Kirk Brogdon wrote:
> This is a repost from a week or so ago with some updated info. . . .
>
> 4.1.1 Stable
> cable modem on fxp0
> lan on rl0 (3 Win98 boxes)
>
> I started getting flooded with the "natd[]: failed to write packet
> back, (host is down) messages. I found some archives where Crist Clark
> said to run tcpdump on the interface and look for arps that weren't
> getting an answer. I tried that first on the outside net I/F (fxp0
> in my case) since that is how I have the natd interface configured
> in rc.conf (natd_interface="fxp0"). This gave me what appeared to
> be every arp request for the cable network. I then tried the
> tcpdump on my lan I/F (rl0) and got the following:
>
> 11:31:47.774308 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
> 11:32:05.846045 arp who-has bsd1.alaptech.com tell alap2.alaptech.com
> 11:32:05.846078 arp reply bsd1.alaptech.com is-at 0:e0:29:70:43:5d
> 11:32:17.774797 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
> 11:32:47.774879 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
> 11:33:17.775523 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
>
> I have no idea who 132.17.0.60 is nor why I would see the requests
> on my lan I/F. I did a traceroute on that IP and got as far as
> 132.17.120.11 (about 18 hops). If I try and ping 132.17.0.60, it
> is refused (I assume it is behind a firewall).
>
> I did disconnect the lan from the FBSD box and the messages stopped.
> I was able to track it down to one Win98 machine (by trial and error)
> but I still don't get it. The mac is not the same as what is in
> that box (according to Win98 anyway) nor is the IP. The Win98 box
> seems to be working fine. Why would it be generating these arp
> requests over and over? Is the card bad? Is someone doing bad
> things to me?
This is really neat. From what I can find, 03:00:00 is not assigned to
any vendor for use in MAC addresses. It looks like that machine is
crafting the whole frame. As for that address,
$ whois -a 132.17.0.6
Lindsey Air Station (NET-LINDSEY)
GERMANY
Netname: LINDSEY
Netnumber: 132.17.0.0
Coordinator:
Boyles, Steve (SB152-ARIN) wingtcf@RAMSTEIN2-EMH.AF.MIL
(DSN) 314-339-3230
Record last updated on 12-Jul-1996.
Database last updated on 23-Oct-2000 06:19:18 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
Looks like a US Air Force base in Germany. I'd keep an eye out for
black helicopters.
You might consider firing up an IDS on your LAN there and seeing what
is going on.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001023152502.M75251>