[nSLUG] tcpdump qry: What does this mean?

Dop Ganger nslug at fop.ns.ca
Wed Jan 14 08:54:57 AST 2004


On Wed, 14 Jan 2004, Mike Spencer wrote:

> I spotted this a couple of nights ago:
>
>     01:10:31.625722 0.0.0.0 > 0.0.0.0: ip-proto-0 536 [ttl 0]
>     01:10:31.715740 0.0.0.0 > 0.0.0.0: ip-proto-0 536 [ttl 0]
>     01:10:31.815722 0.0.0.0 > 0.0.0.0: ip-proto-0 536 [ttl 0]
>     01:10:32.025742 0.0.0.0 > 0.0.0.0: ip-proto-0 536 [ttl 0]
>     01:10:32.105716 0.0.0.0 > 0.0.0.0: ip-proto-0 536 [ttl 0]
>     01:10:32.175701 0.0.0.0 > 0.0.0.0: ip-proto-0 536 [ttl 0]
>     01:10:32.235700 0.0.0.0 > 0.0.0.0: ip-proto-0 536 [ttl 0]
>     01:10:32.325687 0.0.0.0 > 0.0.0.0: ip-proto-0 453 [ttl 0]

It's a martian packet... I'm guessing you're on dialup? I vaguely recall
certain modem racks (including, occasionally, USR TC racks) would send
these packets when they got confused about routing. It *shouldn't* be
something from the outside world (ie, from beyond your ISP's modem rack)
unless there's something really iffy going on with your ISP's routing
(since the packet doesn't have a destination, how would the ISP's router
know where to send it?)

> What does that represent?  (Pointer to suitable RFC, URL or whatever
> would be fine but the tcpdump manpage doesn't seem to answer the
> question.)

http://www.netlingo.com/lookup.cfm?term=martian%20packet

http://www.cromwell-intl.com/security/security-stack-hardening.html has
notes on monitoring this, amongst other odds and ends (basically, echo 1 >
/proc/sys/net/ipv4/conf/all/log_martians). Also, you might want to try
ramping up the debug and kdebug for pppd, if you're using it, and see if
that has anything to say.

Cheers... Dop.




More information about the nSLUG mailing list