On Tue, 11 Jun 2002, Proud Debian-User wrote: > Jun 11 19:01:14 abyss kernel: martian source 10.10.151.255 from > 10.10.151.43, on dev eth0 > Jun 11 19:03:19 abyss kernel: martian source 10.10.150.1 from 10.10.151.43, > on dev eth0 > > in the last 5 days these logging messages increases. > Normally i ignore them, but now there are 7 machines in my net with these > packets. > I'm wondering if this is a sign for a trojan or virus.
RFC 1812 (following RFC 1716) defines a "martian" packet as a packet which contains an invalid source or destination address. For source addresses, this means: An IP source address is invalid if it is a special IP address, as defined in 4.2.2.11 or 5.3.7, or is not a unicast address. For example, 127.0.0.1 is the loopback address, so you should never get a packet addressed to 127.0.0.1 turning up at the router. If you do, something's messed up. 10.10.151.255 is an invalid source address if your computer considers 10.10.151.0/24 to be the local network, since the host part is 255, which means "broadcast"; obviously that can't be a source address. I'm not sure how 10.10.150.1 can be considered invalid, though. T -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
