Date: Thu, 18 Jul 2002 16:12:25 -0400 From: "Will Mitayai Keeso Rowe" <mitayai@dreamlabs.com> To: "'Jim Laurenson'" <j.laurenson@epicmail.ca>, "'Craig Miller'" <craig@millerfam.net>, "'freebsd-security'" <freebsd-security@freebsd.org> Subject: RE: wierdness in my security report Message-ID: <007901c22e97$771f13e0$6400a8c0@shadow> In-Reply-To: <LJEFLBLMLGPNAJOOKOHLGEJLCDAA.j.laurenson@epicmail.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
MAC addresses are prefixed (usually) based on manufacturer. I use http://www.coe.uky.edu/~stu/nic/nic.cfm to help me identify problem machines based on the MAC address... i usually know what cards are in what machines. So... 00b064 is assigned to Cisco Systems, Inc. Now, a caveat: MAC addresses can be spoofed. I used to do it with my cable provider (who assigned IP leases based on MAC address) all the time to make sure I got the same IP address assigned even though I plugged the cable into different machines. -Mit -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Jim Laurenson Sent: July 18, 2002 1:54 PM To: Craig Miller; freebsd-security Subject: RE: wierdness in my security report I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though. Jim Laurenson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller Sent: July 18, 2002 11:47 AM To: freebsd-security Subject: wierdness in my security report Anyone have any ideas as to what might be causing the following to appear in my security report? arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. Thanks, --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007901c22e97$771f13e0$6400a8c0>