Hi y'all! I'm confuzzled.
I have repeated entries in my syslog in log file viewer.
Jan 26 08:31:42 MYSERV kernel: [25624.013276] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:31:42 MYSERV kernel: [25624.013768] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:33:48 MYSERV kernel: [25750.017039] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:33:48 MYSERV kernel: [25750.017562] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
Where MYSERV is the name of my server, and BIG_MAC is what appears to be a mac address but longer than I am used to . always the same number, =01:00:5e:00:00:01:a0:21:b7:43:91:37:08:00
As far as I can see, 192.168.1.1 is connecting to a broadcast address, to see if anyone's there. Thing is, 192.168.1.1 IS NOT an address that I'm aware I'm using; my subnet is 192.168.0.*.
If I open 192.168.1.1 in a webbrowser, it opens a trivial webpage I have set up as an adblock-replacement page. The thing is, this web page normally serves on 127.0.0.1
On the server, if I ping 192.168.1.1 it responds in about the same amount of time as 192.168.0.1
I suspect that 192.168.1.1. is my own server bound somehow to another ip address. I doubt that this is something from outside getting in to my network. Can anyone help me find out what it is, where it is, and how to stop it?
Cheers Steve
On 26 January 2016 at 09:11, steve-ALUG@hst.me.uk wrote:
Hi y'all! I'm confuzzled.
I have repeated entries in my syslog in log file viewer.
Jan 26 08:31:42 MYSERV kernel: [25624.013276] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:31:42 MYSERV kernel: [25624.013768] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:33:48 MYSERV kernel: [25750.017039] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2 Jan 26 08:33:48 MYSERV kernel: [25750.017562] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
Where MYSERV is the name of my server, and BIG_MAC is what appears to be a mac address but longer than I am used to . always the same number, =01:00:5e:00:00:01:a0:21:b7:43:91:37:08:00
For some reason it looks like your syslog server is not "chopping up the data" at the correct boundaries;
01:00:5e:00:00:01 is the destination MAC address this Ethernet frame is being sent to which is a multicast MAC address, which ties up with the fact that the destination IP address is 224.0.0.1 which is a multicast IP address. a0:21:b7:43:91:37 is the source MAC address of this Ethernet frame which according to http://www.macvendorlookup.com/ is a Netgear MAC address, do you have any Netgear equipment at home? 08:00 on the end is probably the Ethertype value which comes directly after the source and destination MAC address in an Ethernet frame header, 0x0800 means an IP packet is contained within this Ethernet frame.
So it seems perhaps you have a netgear router and it's sending out multicast IP packets to your LAN looking for something/someone (it could be IGMP is turned on by default and in such case, it's nothing to worrie about). You'd need to run tcpdump or Wireshark to capture the full packet to see what it's looking for.
Hope that helps, James.
On 26/01/16 09:32, James Bensley wrote:
On 26 January 2016 at 09:11, steve-ALUG@hst.me.uk wrote:
Hi y'all! I'm confuzzled.
I have repeated entries in my syslog in log file viewer.
Jan 26 08:31:42 MYSERV kernel: [25624.013276] [UFW BLOCK] IN=eth0 OUT= MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
Where MYSERV is the name of my server, and BIG_MAC is what appears to be a mac address but longer than I am used to . always the same number, =01:00:5e:00:00:01:a0:21:b7:43:91:37:08:00
For some reason it looks like your syslog server is not "chopping up the data" at the correct boundaries;
01:00:5e:00:00:01 is the destination MAC address this Ethernet frame is being sent to which is a multicast MAC address, which ties up with the fact that the destination IP address is 224.0.0.1 which is a multicast IP address. a0:21:b7:43:91:37 is the source MAC address of this Ethernet frame which according to http://www.macvendorlookup.com/ is a Netgear MAC address, do you have any Netgear equipment at home? 08:00 on the end is probably the Ethertype value which comes directly after the source and destination MAC address in an Ethernet frame header, 0x0800 means an IP packet is contained within this Ethernet frame.
So it seems perhaps you have a netgear router and it's sending out multicast IP packets to your LAN looking for something/someone (it could be IGMP is turned on by default and in such case, it's nothing to worrie about). You'd need to run tcpdump or Wireshark to capture the full packet to see what it's looking for.
Hope that helps, James.
It does. Thanks. There is (I think) a router manufactured by Netgear. I'll do a capture at some later time. I'm still confused over why it's using 192.168.1.1 though as it's configured to (and is) using 192.168.0.1.
Thanks for your help. Steve
-
James Bensley -
steve-ALUG@hst.me.uk