The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Thursday, January 05, 2006

Packets from Mars

Another thing I'm seeing with the LaBrea Tarpit software—wierd ARP packets.

I've got the logging set to “verbose” (in case any problems come up) and one result is that it logs all the ARP requests that it sees, but can't answer (can't answer them because they're outside the normal netblock LaBrea is “answering” for). So I see a bunch for other public IP addresses we have. And the various private IP addresses that I'm not exactly sure what they're being used for, but hey, they're private.

And then … there are the ARP requests that shouldn't exist:

Jan  6 00:55:40 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.64
Jan  6 00:55:42 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248
Jan  6 00:55:43 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.254 TELL 64.76.67.236
Jan  6 00:55:43 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248
Jan  6 00:55:44 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 66.252.226.46
Jan  6 00:55:44 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.254 TELL 64.76.67.236
Jan  6 00:55:44 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248
Jan  6 00:55:45 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.254 TELL 64.76.67.236
Jan  6 00:55:47 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248

I have no clue where these are coming from.

None, and I mean none of our addresses are from the 64.0.0.0/8 block. That doesn't appear to be any of our upstream providers. I can traceroute to 64.76.67.248 but why I'm seeing ARP requests from it is beyond me. Especially since ARP requests can't be routed! It's something local sending it out, or it's LaBrea misinterpreting the ARP packet (since it can be used for more than just IPMAC address translations).

One thing for sure, I'll have to check the code, and possibly modify LaBrea to log the MAC address so I can track this down. Then again, I have to hit the code anyway, since technically, the MAC address LaBrea uses is wrong (the “global/local” bit in the address is not set, and it should be).

Obligatory Picture

[The future's so bright, I gotta wear shades]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.