Snort mailing list archives

Re: Source IP 173.80.0.0 [revisited], bug?

From: ypwhich <ypwhich () paunix org>
Date: Wed, 3 Mar 2004 07:11:16 +0000 (UTC)

Ed,

You're on cable, like me.  I've seen this stuff before, hell if I run
Ethereal or tcpdump I get spammed with it.

Most of the 'traffic' causing my modem light to blink are from ARP
requests from a Cisco router upstream, which is my gateway.

As for the IP, my own modem sends out IGMP requests from the address:
192.168.100.0.  If I use a browser and http://192.168.100.1 (you can surf
into your own cable modem) - it shows the address as the Ethernet IP,
unsure how that works - unless it's a local thing - the IP used by the
modem on the DOCSIS network is 10.40.X.X

Cable didn't always use to function like this, I believe the bridging they
use (your own modem forwards a lot of routing data) to be a new thing.

Anyways, looking at the Ethereal data, my best guess would be an upstream
router, from your ISP.

-yp

On Tue, 2 Mar 2004, Ed wrote:

Date: Tue, 2 Mar 2004 15:03:23 -0500
From: Ed <snortlist () eddo net>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Source IP 173.80.0.0 [revisited], bug?

Now that I finally had some time, I went back and did some packet captures
with ethereal for this traffic on my cable Internet connection.  All of the
packets were the same, local broadcast traffic with invalid IP 4 headers.
I'm kinda curious why Snort always thinks the source IP is 173.80.0.0  This
MAC is never in my ARP table.

At the same time, this MAC is the only one I've captured doing ARP requests
on the network.  Oddly enough, all of the requests are for different IP
ranges (all belonging to my cable provider though, according to WHOIS).
Either they (the cable provider) are running multiple IP ranges on the same
network, possible, but kinda stupid if you ask me, or someone is sending a
LOT of traffic they shouldn't be.

Any other ideas?



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Source IP 173.80.0.0 Ed (Feb 22)
- Re: Source IP 173.80.0.0 ypwhich (Feb 24)
  - Re: Source IP 173.80.0.0 [revisited], bug? Ed (Mar 02)
    - RE: Source IP 173.80.0.0 [revisited], bug? Fred McFeeters (Mar 02)
    - Re: Source IP 173.80.0.0 [revisited], bug? ypwhich (Mar 02)