I have an old server running on redhat 8.0 (I know... don't ask why).
Recently I've seen lines like the following in /var/log/kernel :
Oct 28 08:53:28 myhost kernel: martian source 255.255.255.255 from 127.0.0.1, on dev eth0 Oct 28 08:53:28 myhost kernel: ll header: ff:ff:ff:ff:ff:ff:<snipped.unknown.mac.address>
It appears they are related to a network device and not to the linux machine per se. I did a web search, but I'm not satisfied with the vague responses for the question.
what do they mean?
~af
On Thu, 30 Oct 2008 16:23:34 -0700 Aldo Foot lunixer@gmail.com wrote:
Oct 28 08:53:28 myhost kernel: martian source 255.255.255.255 from
what do they mean?
A "martian source" is an invalid IP address. In your case, 255.255.255.255 is the IP address. It's impossible for that to be a valid address, not least because *.*.*.255 is a broadcast address.
Frank Cox wrote:
On Thu, 30 Oct 2008 16:23:34 -0700 Aldo Foot lunixer@gmail.com wrote:
Oct 28 08:53:28 myhost kernel: martian source 255.255.255.255 from
what do they mean?
A "martian source" is an invalid IP address. In your case, 255.255.255.255 is the IP address. It's impossible for that to be a valid address, not least because *.*.*.255 is a broadcast address.
A little clarification, a "martian source" isn't strictly an invalid IP. It is usually triggered when the kernel routing table doesn't match where it expects the IP address. I see this a lot on my firewall, but that is because both my ISP and myself use a 10.x.x.x private IP range that overlaps. They use it for the management of the cable modems, and I use it for more traditional uses. This results in my firewalls Kernel expecting 10.x to come in on eth3, not eth1 so the kernel fires off a martian source message with the details of the problem.
In terms of a broadcast range, since most proper broadcasts on more up to date TCP stacks use x.x.x.255 as the broadcast, not a full 'every network possible' broadcast (255.255.255.255) it will fire off an alert that something it trying a mass broadcast that it doesn't expect (since that broadcast range will not match its known route table). This broadcast IP can be seen a lot on DHCP type setups, or other discovery items on a computer. You can also see occasional 224-236.x.x.x ranges fire off the same messages on the box, for multicast messages.
A good example of a non-invalid IP address message is off my firewall(Sanitized a bit, of course):
Oct 29 01:39:08 fw kernel: martian source 192.168.1.1 from 68.10.11.12, on dev eth1 Oct 29 01:39:08 fw kernel: ll header: 00:e0:81:2a:1f:b8:00:30:b8:c6:c3:90:08:00 Oct 29 01:39:11 fw kernel: martian source 192.168.1.1 from 68.10.11.12, on dev eth1 Oct 29 01:39:11 fw kernel: ll header: 00:e0:81:2a:1f:b8:00:30:b8:c6:c3:90:08:00 Oct 29 01:39:11 fw kernel: martian source 192.168.1.1 from 68.10.11.12, on dev eth1 Oct 29 01:39:11 fw kernel: ll header: 00:e0:81:2a:1f:b8:00:30:b8:c6:c3:90:08:00
To break it down simply, there is a problem with how the routes are seeing the end results of my firewall as the wrong source (The internal gateway versus the public IP) with eth1 being the interface with the 68 address assigned.
Not to completely shoot down the last response, but it is an invalid address, that is true, same as any of the private IP ranges are seen on the Internet.
Sorry for the long winded reply, but this was something I know pretty well since I see it a lot.
Regards, Seann
On Fri, Oct 31, 2008 at 6:59 AM, Seann Clark nombrandue@tsukinokage.net wrote:
..... I see this a lot on my firewall, but that is because both my ISP and myself use a 10.x.x.x private IP range that overlaps. They use it for the management of the cable modems, and I use it for more traditional uses....
What you describe is more or less what occurs with my network setup.
In terms of a broadcast range, since most proper broadcasts on more up to date TCP stacks use x.x.x.255 as the broadcast, not a full 'every network possible' broadcast (255.255.255.255) it will fire off an alert that something it trying a mass broadcast that it doesn't expect (since that broadcast range will not match its known route table). This broadcast IP can be seen a lot on DHCP type setups, or other discovery items on a computer. You can also see occasional 224-236.x.x.x ranges fire off the same messages on the box, for multicast messages.
The machine I was asking about uses two NICs. One for the outside world and the other for talking to a switch where DHCP is enabled for a bunch of systems.
Given your insight then is it alright to conclude that the "martian source" messages can be ignored and are harmless? The messages do not fill the log files and some days are much less than others.
Your explanation was pretty good. Thanks. ~af
Frank Cox wrote:
A "martian source" is an invalid IP address. In your case, 255.255.255.255 is the IP address. It's impossible for that to be a valid address, not least because *.*.*.255 is a broadcast address.
Usually. If you’re using anything larger than a Class C (= /24 = netmask of 255.255.255.0), then you will have normal IP addresses ending in .0 and .255.
Worked example: a local network with 4 computers, using 10.0.0.0/8: Network address: 10.0.0.0 Broadcast address: 10.255.255.255 A normal address: 10.1.2.3 Another normal address: 10.1.1.255
Hope this helps,
James.
-
Aldo Foot -
Frank Cox -
James Wilkinson -
Seann Clark