Re: (PM) Logged some curious info

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jason Slagle: "Re: (PM) Off Topic.. Moving an ISP"
• Previous message: John Storms: "Re: (PM) MAJOR Support Improvements!"
• In reply to: Jason Slagle: "(PM) Re: only a handful of people upset with modem performance. was Re:"
• Next in thread: Thomas C Kinnen: "Re: (PM) only a handful of people upset with modem performance. was Re:"

>Why are a bunch of dialups icmp'ing illegal numbers?
>
>Apr 2 10:01:20 5E:pm2.aiken.sc.da.duesouth.net 5 permit: icmp from
>216.98.9.72 to 149.1.1.1 type Echo Request

That's an echo request (aka "ping") to the host 149.1.1.1, which is
a valid IP address. It is currently alive and responding to pings
from here. There is no reverse DNS info on that specific address,
but it appears that the 149.1.1.* might be owned/managed by conducent.com.

Learn to use traceroute and dig/nslookup, they are your friends, and
you should have been able to figure this out on your own.

>Apr 2 10:01:21 5E:pm2.aiken.sc.da.duesouth.net 5 permit: icmp from
>216.98.9.81 to 224.0.0.2 type Unknown

The destination address of 224.0.0.2 is the "all routers" multicast
address. The type of ICMP message is only given as "Unknown", so it
is hard to say with absolute certainty what this is. (I think that's
a bug in ComOS, or at the very least fodder for an RFE. If a filter
logs an unknown ICMP message, it should also log the numeric type/code
of the message.)

However, it's possible to make an educated guess. Most likely this is
the ICMP router discovery protocol, trying to find a default route.
This is described in RFC 1256:

http://andrew2.andrew.cmu.edu/rfc/rfc1256.html

A good online writeup of the protocol can be found here:

http://www.performancecomputing.com/unixreview/backissu/9707/9707dae.htm=

[Quick summary: the protocol uses ICMP messages with type.code of 9.0 sent
to 224.0.0.1 (all hosts) to advertise a default route, and an ICMP message
with type.code of 10.0 sent to 224.0.0.2 (all routers) to solicit a default
route. What you are seeing is likely a default route solicitation,=
although
you would need to find the ICMP type.code of the message to know for sure.]

Of course, assuming this is coming from Microsoft's networking code,
one could ask why it's doing this in the first place, since the PPP
connection is told the default gateway to use. Then again, Microsoft's
networking code does a lot of questionable things, including sending
NetBIOS "broadcast" requests to x.x.x.255 over a PPP connection, when
that is clearly not a valid broadcast address for the connection. :-/

Michael Bryan
pmu@ursine.com

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

• Next message: Jason Slagle: "Re: (PM) Off Topic.. Moving an ISP"
• Previous message: John Storms: "Re: (PM) MAJOR Support Improvements!"
• In reply to: Jason Slagle: "(PM) Re: only a handful of people upset with modem performance. was Re:"
• Next in thread: Thomas C Kinnen: "Re: (PM) only a handful of people upset with modem performance. was Re:"