Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network...

From: Michael Boman (michael.boman@securecirt.com)
Date: 11/28/02

  • Next message: Matt Harris: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..." 
    Date: Thu, 28 Nov 2002 09:13:46 +0800
From: Michael Boman <michael.boman@securecirt.com>
To: Matt Harris <mdh@unix.si.edu>

    On Wed, Nov 27, 2002 at 04:18:12PM -0500, Matt Harris wrote:
    > Check your arp tables and see if there's a mac address associated with
    > 127.0.0.75, and ifso, then what. That's a good starting point. Not
    > much else to say without more information or knowledge of a specific
    > issue which would cause that (I'm not aware of any at this point). I
    > also noted that it said the packet was of type IPv6. Maybe an IPv6 src
    > addr was incorrectly interpreted by the kernel ip stack to be 127.0.0.75
    > based upon it's binary value or somesuch (just an off-the-wall guess,
    > I'm probably entirely on the wrong track here, as I did not write the ip
    > stack for Solaris)? Very odd indeed. Are you in promiscuous mode on a
    > hub/spanning port, or is this actually a broadcast to the subnet that
    > you're on, or what?

    I grabbed the pcap output from our IDS that is sitting on a SPAN
    port. I've read the other replies that indicate that it's something
    wrong with the routing on the system itself, but as you can see from
    the ethereal dump the Sun system emits traffic with the source IP of
    127.0.0.0/8, not the destination. Any other suggestions?

    Best regards
     Michael Boman 

    -- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com