Snort mailing list archives
Re: Source IP 173.80.0.0 [revisited], bug?
From: ypwhich <ypwhich () paunix org>
Date: Wed, 3 Mar 2004 07:11:16 +0000 (UTC)
Ed, You're on cable, like me. I've seen this stuff before, hell if I run Ethereal or tcpdump I get spammed with it. Most of the 'traffic' causing my modem light to blink are from ARP requests from a Cisco router upstream, which is my gateway. As for the IP, my own modem sends out IGMP requests from the address: 192.168.100.0. If I use a browser and http://192.168.100.1 (you can surf into your own cable modem) - it shows the address as the Ethernet IP, unsure how that works - unless it's a local thing - the IP used by the modem on the DOCSIS network is 10.40.X.X Cable didn't always use to function like this, I believe the bridging they use (your own modem forwards a lot of routing data) to be a new thing. Anyways, looking at the Ethereal data, my best guess would be an upstream router, from your ISP. -yp On Tue, 2 Mar 2004, Ed wrote:
Date: Tue, 2 Mar 2004 15:03:23 -0500 From: Ed <snortlist () eddo net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Source IP 173.80.0.0 [revisited], bug? Now that I finally had some time, I went back and did some packet captures with ethereal for this traffic on my cable Internet connection. All of the packets were the same, local broadcast traffic with invalid IP 4 headers. I'm kinda curious why Snort always thinks the source IP is 173.80.0.0 This MAC is never in my ARP table. At the same time, this MAC is the only one I've captured doing ARP requests on the network. Oddly enough, all of the requests are for different IP ranges (all belonging to my cable provider though, according to WHOIS). Either they (the cable provider) are running multiple IP ranges on the same network, possible, but kinda stupid if you ask me, or someone is sending a LOT of traffic they shouldn't be. Any other ideas?
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Source IP 173.80.0.0 Ed (Feb 22)
- Re: Source IP 173.80.0.0 ypwhich (Feb 24)
- Re: Source IP 173.80.0.0 [revisited], bug? Ed (Mar 02)
- RE: Source IP 173.80.0.0 [revisited], bug? Fred McFeeters (Mar 02)
- Re: Source IP 173.80.0.0 [revisited], bug? ypwhich (Mar 02)
- Re: Source IP 173.80.0.0 [revisited], bug? Ed (Mar 02)
- Re: Source IP 173.80.0.0 ypwhich (Feb 24)