On 26 January 2016 at 09:11, steve-ALUG@hst.me.uk wrote:
Hi y'all! I'm confuzzled.
I have repeated entries in my syslog in log file viewer.
Jan 26 08:31:42 MYSERV kernel: [25624.013276] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:31:42 MYSERV kernel: [25624.013768] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:33:48 MYSERV kernel: [25750.017039] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:33:48 MYSERV kernel: [25750.017562] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
Where MYSERV is the name of my server, and BIG_MAC is what appears to be a mac address but longer than I am used to . always the same number, =01:00:5e:00:00:01:a0:21:b7:43:91:37:08:00
For some reason it looks like your syslog server is not "chopping up the data" at the correct boundaries;
01:00:5e:00:00:01 is the destination MAC address this Ethernet frame is being sent to which is a multicast MAC address, which ties up with the fact that the destination IP address is 224.0.0.1 which is a multicast IP address. a0:21:b7:43:91:37 is the source MAC address of this Ethernet frame which according to http://www.macvendorlookup.com/ is a Netgear MAC address, do you have any Netgear equipment at home? 08:00 on the end is probably the Ethertype value which comes directly after the source and destination MAC address in an Ethernet frame header, 0x0800 means an IP packet is contained within this Ethernet frame.
So it seems perhaps you have a netgear router and it's sending out multicast IP packets to your LAN looking for something/someone (it could be IGMP is turned on by default and in such case, it's nothing to worrie about). You'd need to run tcpdump or Wireshark to capture the full packet to see what it's looking for.
Hope that helps, James.