Snort mailing list archives

Re: DNS 53 <-> 53 ?

From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Tue, 17 Jul 2001 11:51:38 -0400

On Tue, Jul 17, 2001 at 09:23:06AM +0200, Jens Hassler wrote:

What means the hardware address 0:0:0:0:0:1? Is this some kind of broadcast
or multicast? I'm rather sure it's not broadcast, but I don't know about
multicast.


If tcpdump is reading the MAC correctly, it's neither broadcast
nor multicast. It's just the MAC of 212.185.42.146 learnt by ARP ??

Do you see this MAC on your interface? If not, does your firewall
react on this MAC as destined for it.

Looking at the TTL, it doesn't look like it's coming from your
next-hop gw. So, the source of the MAC weirdness is different than
the DNS weirdness and not related.

Ramin



Thanks for any help in this issue.
Jens



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
  - RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
    - Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
    - RES: DNS 53 <-> 53 ? Marcus Rocha (Jul 17)
- Re: DNS 53 <-> 53 ? Blake Frantz (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- <Possible follow-ups>
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Graeme Fowler (Jul 17)
  - Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)