[ALUG] Firewall log entry

steve-ALUG at hst.me.uk steve-ALUG at hst.me.uk
Tue Jan 26 10:31:34 GMT 2016

On 26/01/16 09:32, James Bensley wrote:
> On 26 January 2016 at 09:11,  <steve-ALUG at hst.me.uk> wrote:
>> Hi y'all!
>> I'm confuzzled.
>> I have repeated entries in my syslog in log file viewer.
>> Jan 26 08:31:42 MYSERV kernel: [25624.013276] [UFW BLOCK] IN=eth0 OUT=
>> MAC=BIG_MAC SRC= DST= LEN=28 TOS=0x00 PREC=0x00 TTL=1
>> ID=0 PROTO=2

>> Where MYSERV is the name of my server, and
>> BIG_MAC is what appears to be a mac address but longer than I am used to .
>> always the same number, =01:00:5e:00:00:01:a0:21:b7:43:91:37:08:00
> For some reason it looks like your syslog server is not "chopping up
> the data" at the correct boundaries;
> 01:00:5e:00:00:01 is the destination MAC address this Ethernet frame
> is being sent to which is a multicast MAC address, which ties up with
> the fact that the destination IP address is which is a
> multicast IP address. a0:21:b7:43:91:37 is the source MAC address of
> this Ethernet frame which according to http://www.macvendorlookup.com/
> is a Netgear MAC address, do you have any Netgear equipment at home?
> 08:00 on the end is probably the Ethertype value which comes directly
> after the source and destination MAC address in an Ethernet frame
> header, 0x0800 means an IP packet is contained within this Ethernet
> frame.
> So it seems perhaps you have a netgear router and it's sending out
> multicast IP packets to your LAN looking for something/someone (it
> could be IGMP is turned on by default and in such case, it's nothing
> to worrie about). You'd need to run tcpdump or Wireshark to capture
> the full packet to see what it's looking for.
> Hope that helps,
> James.

It does.  Thanks.  There is (I think) a router manufactured by Netgear. 
  I'll do a capture at some later time.  I'm still confused over why 
it's using though as it's configured to (and is) using

Thanks for your help.

More information about the main mailing list