Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network...

On Wed, Nov 27, 2002 at 04:18:12PM -0500, Matt Harris wrote:
> Check your arp tables and see if there's a mac address associated with
> 127.0.0.75, and ifso, then what. That's a good starting point. Not
> much else to say without more information or knowledge of a specific
> issue which would cause that (I'm not aware of any at this point). I
> also noted that it said the packet was of type IPv6. Maybe an IPv6 src
> addr was incorrectly interpreted by the kernel ip stack to be 127.0.0.75
> based upon it's binary value or somesuch (just an off-the-wall guess,
> I'm probably entirely on the wrong track here, as I did not write the ip
> stack for Solaris)? Very odd indeed. Are you in promiscuous mode on a
> hub/spanning port, or is this actually a broadcast to the subnet that
> you're on, or what?

I grabbed the pcap output from our IDS that is sitting on a SPAN port. I've read the other replies that indicate that it's something wrong with the routing on the system itself, but as you can see from the ethereal dump the Sun system emits traffic with the source IP of 127.0.0.0/8, not the destination. Any other suggestions?

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com