This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange logs, and mac @ ???

Hi,
I have a lot of logs on my astaro box like:

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=217.12.2.9 DST=xxx.xxx.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=61091 DF PROTO=TCP SPT=80 DPT=49172 WINDOW=17520 RES=0x00 ACK SYN URGP=0

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=194.79.135.176 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=59 ID=62497 DF PROTO=TCP SPT=80 DPT=49171 WINDOW=32120 RES=0x00 ACK SYN URGP=0

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=194.79.135.179 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=59 ID=30203 DF PROTO=TCP SPT=80 DPT=49169 WINDOW=32120 RES=0x00 ACK SYN URGP=0

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=194.79.135.171 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=59 ID=65440 DF PROTO=TCP SPT=80 DPT=49168 WINDOW=32120 RES=0x00 ACK SYN URGP=0

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=194.79.135.176 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=59 ID=62252 DF PROTO=TCP SPT=80 DPT=49169 WINDOW=32120 RES=0x00 ACK SYN URGP=0

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=194.79.135.176 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=59 ID=62249 DF PROTO=TCP SPT=80 DPT=49168 WINDOW=32120 RES=0x00 ACK SYN URGP=0

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=217.12.3.11 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=56 ID=65207 DF PROTO=TCP SPT=80 DPT=49166 WINDOW=65535 RES=0x00 ACK SYN URGP=0

kernel: TCP Drop: IN=eth1 OUT= MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=217.12.3.11 DST=xxx.xxx.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=29738 DF PROTO=TCP SPT=80 DPT=49165 WINDOW=17520 RES=0x00 ACK SYN URGP=0

the source @ is always different, the destination is my firewall ip (xxx.xxx.xxx.xxx) .

The first thing is about MAC=00:08:ab:ac:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00
the mac @ of my firewall is :00:08:ab:ac:c9[:D]b
so what is the "00:04:4d:7a[:D]4:f0:08:00" ????

The second is, what are these packets ?????
does someone scan my firewall ??
why the souce @ is never the same, DST = DST +1 each new time, and SPT=80 ????

could someone help me ??
thanks.

[ 13 March 2002: Message edited by: jeronimo ]

This thread was automatically locked due to age.

0 ollion over 23 years ago

jeronimo,

00:04:4d:7a: D4:f0 is your cisco router, isn't it?
Just don't care about 08:00, seems to be the upper
protocol 0800 which is IP.

Check the source addresses
e.g. http://217.12.2.9/ -> Yahoo

I assume that you had a connection to this server
which is already closed, but the server still
trys to deliver data.

regards
ollion

[ 13 March 2002: Message edited by: ollion ]
Cancel
Vote Up 0 Vote Down

Cancel
0 jeronimo over 23 years ago in reply to ollion

ok, thanks you for your reply!!

Do you think there is a solution to skip this logs ...
(on clients only, and not on the firewall or syslog server)??

because i have a lot of entry corresponding, with a lot of differnts server !!!

and, another question:
is it normal to have frequently logs about netbios traffic on the external interface ??
kernel: UDP Drop: IN=eth1 OUT= MAC=00:08:c7:a4:c9[:D]b:00:04:4d:7a[:D]4:f0:08:00 SRC=194.78.98.13 DST=xxx.xxx.xxx.xxx LEN=78 TOS=0x00 PREC=0x00 TTL=115 ID=43199 PROTO=UDP SPT=137 DPT=137 LEN=58
Cancel
Vote Up 0 Vote Down

Cancel