From owner-freebsd-hackers@FreeBSD.ORG Fri Aug 10 15:35:33 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D424106564A for ; Fri, 10 Aug 2012 15:35:33 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250]) by mx1.freebsd.org (Postfix) with ESMTP id E59388FC0A for ; Fri, 10 Aug 2012 15:35:32 +0000 (UTC) Received: from [194.32.164.22] (80-46-130-69.static.dsl.as9105.com [80.46.130.69]) by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id q7AFSICq078023; Fri, 10 Aug 2012 16:28:18 +0100 (BST) (envelope-from rb@gid.co.uk) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=us-ascii From: Bob Bishop In-Reply-To: <50251F03.4050400@kukulies.org> Date: Fri, 10 Aug 2012 16:28:12 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <1668355C-7597-4878-9D0B-164B051E1CA7@gid.co.uk> References: <50251F03.4050400@kukulies.org> To: "Christoph P.U. Kukulies" X-Mailer: Apple Mail (2.1278) Cc: freebsd-hackers@freebsd.org Subject: Re: strange things happening with ping - am I hacked? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 15:35:33 -0000 Hi, On 10 Aug 2012, at 15:47, Christoph P.U. Kukulies wrote: > I have some machines in a companys' network that are interconnected > with a piece of coaxial cable (ethernet 10base2). This trunk goes = through a > switch that acts also as a media converter and connects to the = Internet router. >=20 > For a while now I'm having trouble with this 10base2 trunk It might just be packets getting corrupted, just a few replies get back = with address field corruption.=20 > and I dropped in another FreeBSD > machine to move the services I'm running to the newer (9.0) machine. > At the moment the two FreeBSD boxes (one 9.0, the other 5.1) are on = the net. > Both have a DIVERT kernel and act as gateways between the in house = network and the Internet (natd). >=20 > Now strange things happen: > When I ping from the 9.0 machine to another machine (a Windows XP) in = the network, > I don't get an immediate response from the ping but after some, day = 20s or so I get: >=20 > (I prefer to not use the real addresses in the source or destination) > forum2# ping 80.90.34.226 > forum2# tcpdump -i ed0 -l ip proto ICMP > tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode > listening on ed0, link-type EN10MB (Ethernet), capture size 65535 = bytes > 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id = 50777, seq 49408, length 8 >=20 > or: >=20 > 16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id = 50777, seq 49408, length 8 > 16:17:01.920480 IP 80.90.34.228 > 203.178.148.19: ICMP echo reply, id = 9061, seq 48393, length 8 > ^C > 2 packets captured > 473 packets received by filter > 0 packets dropped by kernel >=20 > Doing the same ping from the 5.1 box (pretty sure it hasn't got to do = with the OS versions), > gives an echo reply immediately from the target address I pinged. >=20 > So why does there come an echo reply from machines on the net which = seem to exist and > even have names like pinger-j2.ant.isi.edu or = pinger6.netsec.colostate.edu? >=20 > Does there some packet redirection take place? > -- > Christoph Kukulies > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to = "freebsd-hackers-unsubscribe@freebsd.org" >=20 -- Bob Bishop +44 (0)118 940 1243 rb@gid.co.uk fax +44 (0)118 940 1295 mobile +44 (0)783 626 4518