[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: strange network info in the logs

On Wed, Mar 08, 2006 at 11:15:06AM +0900, Kai Hendry wrote:
> On 2006-03-07T09:15+0100 Geert Stappers wrote:
> > > Mar  7 11:31:13 sam kernel: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:04:96:15:80:80:08:00 SRC=219.252.91.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=9838 PROTO=2
> > The long MAC address looks like a MAC address from a fire-wire device.
> 
> It's not the LAN or Wireless card. Can I assume the device is on my
> machine?

Given it says IN=eth0, I would say you can assume the device is NOT on
your machine, but on something connected to your eth0.  It is quite
common to see multicast traffic on cable modem links.  I don't know what
cable modem MAC addresses look like, so it could just be a router at
your ISP doing multicast traffic.

01:00:5e:00:00:01 is the multicast MAC macthing 224.0.0.1.

> 0000:00:00.0 Host bridge: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor to I/O Controller (rev 02)
> 0000:00:00.1 System peripheral: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor to I/O Controller (rev 02)
> 0000:00:00.3 System peripheral: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor to I/O Controller (rev 02)
> 0000:00:02.0 VGA compatible controller: Intel Corporation 82852/855GM Integrated Graphics Device (rev 02)
> 0000:00:02.1 Display controller: Intel Corporation 82852/855GM Integrated Graphics Device (rev 02)
> 0000:00:1d.0 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 (rev 01)
> 0000:00:1d.1 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2 (rev 01)
> 0000:00:1d.2 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3 (rev 01)
> 0000:00:1d.7 USB Controller: Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller (rev 01)
> 0000:00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev 81)
> 0000:00:1f.0 ISA bridge: Intel Corporation 82801DBM (ICH4-M) LPC Interface Bridge (rev 01)
> 0000:00:1f.1 IDE interface: Intel Corporation 82801DBM (ICH4-M) IDE Controller (rev 01)
> 0000:00:1f.3 SMBus: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) SMBus Controller (rev 01)
> 0000:00:1f.5 Multimedia audio controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01)
> 0000:00:1f.6 Modem: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Modem Controller (rev 01)
> 0000:02:00.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev 8d)
> 0000:02:00.1 0805: Ricoh Co Ltd R5C822 SD/SDIO/MMC/MS/MSPro Host Adapter (rev 13)
> 0000:02:01.0 Ethernet controller: Intel Corporation 82541GI Gigabit Ethernet Controller
> 0000:02:02.0 Network controller: Intel Corporation PRO/Wireless 2200BG (rev 05)
> 
> > 224.0.0.1 is a "multicast address"
> 
> Why go there? For a multicast? That makes no sense to me.
> 
> > But what it actual is?  Somebody else then E.T. phoning home?
> 
> Are you saying something on my X40 is trying to contact something?
> 
> Btw, why on earth on these messages logged to /var/log/messages anyway?

iptables rules that say log things.

So most likely this just means the ISP is supporting multicast traffic
and you happen to get copies of some of it for some reason.

Len Sorensen
Reply to: