|
|
|
|||||||
| Home | Forums | Register | Rules & FAQ | Members List | Arcade | Search | Today's Posts | Mark Forums Read |
| IP Networking Questions involving TCP/IP, Routers, Hubs, Network protocols, etc go here. |
Other UNIX.COM Threads You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| tcpdump question | jinsunnyvale | IP Networking | 1 | 01-18-2008 05:04 AM |
| tcpdump on AIX | nymus7 | AIX | 4 | 01-16-2008 04:51 PM |
| R-326: tcpdump | iBot | Security Advisories (RSS) | 0 | 01-08-2008 08:50 AM |
| tcpdump | ant04 | UNIX for Dummies Questions & Answers | 2 | 09-07-2004 03:36 PM |
| How To Use tcpdump | chenhao_no1 | High Level Programming | 2 | 04-01-2003 05:15 AM |
 |
|
|
Submit Tools | LinkBack | Thread Tools | Search this Thread | Display Modes |
02-22-2008
|
|||
|
|||
|
tcpdump: strange logging?
Hi,
I want to secure my ntp servers by setting restriction rules. Before doing so I want to monitor the traffic going through the ntp port of the servers to be able to change in time the configuration of "the unwanted clients" so that they do not "loose" the correct time. To do this I am using tcpdump. Mostly is working really fine, just I record 2 types of strange connections which I do not understand, maybe I did not understand how deeply work tcpdump, and I am asking your help to understand them. the tcp command I am executing is like: Code:
tcpdump -n -i interface port 123 A normal ntp query connection looks like: Code:
19:33:37.764379 IP ccc.ccc.ccc.001.123 > sss.sss.sss.sss.123: NTPv4, Client, length 48 19:33:37.764421 IP sss.sss.sss.sss.123 > ccc.ccc.ccc.001.123: NTPv4, Server, length 48 Now the strange connection Nr1: Code:
19:33:38.801105 IP 10.ccc.ccc.002.123 > 10.ccc.ccc.003.123: NTPv4, Server, length 48 1) it is a single line, not a pair Client, Server 2) the "source" of the packages is not the local host (the machine where I am running the tcpdump) 3) the "destination" of the packages is not the local host the machine where I am running the tcpdump) where does this package come from? Now the strange connection Nr2: Code:
19:33:38.801105 IP 10.ccc.ccc.004.123 > 10.ccc.ccc.005.3121: NTPv4, Server, length 48 1) same as before but the "destination" port is not 123 where does this package come from? Now the strange connection Nr3: Code:
08:00:04.904630 IP 192.168.ccc.006.123 > sss.sss.sss.sss.123: NTPv3, Client, length 48 08:00:04.904646 IP sss.sss.sss.sss.123 > 192.168.ccc.006.123: NTPv3, Server, length 48 1) Now the structure remote client asks local server answers is respected 2) but the remote client has an IP which is not routed at all??!?! How can tcpdump get those packages? So my questions are: 1) How to interpret those packages records? (i.e. do I miss something in the understanding of tcpdump?) 2) Can I ignore those "strange records" in the configuration of my secure ntp server? Thanks a lot. Last edited by one71 : 02-22-2008 at 01:23 AM. 
|
| Forum Sponsor | ||
|
|
|
02-25-2008
|
|||
|
|||
|
I have partially understood the strange connections popping up.
tcpdump sets the network interface in promiscuous mode. This means that: Quote:
Thanks
|
|
02-26-2008
|
|||
|
|||
|
To be honest: i have no idea.
Having said this, here is a suspicion: as long as you can arp someone you can have a connection. it doesn't matter that layer 3 wouldn't work when your layer 2 already handles the connection. Have you looked in your ARP-cache which MAC adress this strange adress maps to? bakunin
|
|||
| Google UNIX.COM |
Linear Mode
