Re: Tracking down IP's

[Nathan E Norman]

On Tue, Jan 02, 2001 at 02:09:20AM -0600, will trillich wrote:
> i've got something quite similar to this, but mine's on INPUT--
> 
> Jan  2 01:18:48 server kernel: Packet log: input DENY eth0 PROTO=1 
> 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=8964 F=0x0000 T=128 (#9)
> Jan  2 01:18:51 server kernel: Packet log: input DENY eth0 PROTO=1 
> 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=9220 F=0x0000 T=128 (#9)
> Jan  2 01:20:07 server kernel: Packet log: input DENY eth0 PROTO=1 
> 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=33028 F=0x0000 T=128 (#9)
> Jan  2 01:20:10 server kernel: Packet log: input DENY eth0 PROTO=1 
> 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34308 F=0x0000 T=128 (#9)
> Jan  2 01:20:13 server kernel: Packet log: input DENY eth0 PROTO=1 
> 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34564 F=0x0000 T=128 (#9)

This is multicast traffic.  224.0.0.2 means "all routers on this
subnet".  This is probably router discovery traffic; I'd bet if you
nmap (with tcp fingerprint) 172.167.37.113 you'll find it's a router.

btw, unless you editted it, 172.167.37.113 is not a private address
(though someone might be laboring under the illusion that it is).  RFC
1918 says 172.16.0.0 thru 172.31.255.255 are reserved for private
networks.

] [EMAIL PROTECTED]:~$ whois -h rs.arin.net 172.167
] America Online, Inc. (NETBLK-AOL-172BLK)
]    12100 Sunrise Valley Drive
]    Reston, VA 20191
]    US
] 
]    Netname: AOL-172BLK
]    Netblock: 172.128.0.0 - 172.185.255.255
]    Maintainer: AOL
] 
]    Coordinator:
]       America Online, Inc.  (AOL-NOC-ARIN)  [EMAIL PROTECTED]
]       703-265-4670
] 
]    Domain System inverse mapping provided by:
] 
]    DAHA-01.NS.AOL.COM         152.163.159.233
]    DAHA-02.NS.AOL.COM         205.188.157.233
] 
]    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
] 
]    Record last updated on 21-Nov-2000.
]    Database last updated on 1-Jan-2001 18:15:35 EDT.
] 
] The ARIN Registration Services Host contains ONLY Internet
] Network Information: Networks, ASN's, and related POC's.
] Please use the whois server at rs.internic.net for DOMAIN related
] Information and whois.nic.mil for NIPRNET Information.

How about that :)

-- 
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Inc.                 | than a perfect plan tomorrow.
mailto:[EMAIL PROTECTED]   |   -- Patton

pgpVSbWkpF0WD.pgp
Description: PGP signature