[Firehol-support] Re: DHCP Log Messages - Please HELP!

cougar c0ugar7i8 at comcast.net
Thu Aug 25 02:51:48 BST 2005


On Aug 24, 2005, at 20:57 PM, Daniel Pittman wrote:

> cougar <c0ugar7i8 at comcast.net> writes:
>
>> On Aug 24, 2005, at 02:22 AM, Daniel Pittman wrote:
>>
>>> cougar <c0ugar7i8 at comcast.net> writes:
>>>
>>>> On Aug 23, 2005, at 23:43 PM, Daniel Pittman wrote:
>>>>
>>>>> cougar <c0ugar7i8 at comcast.net> writes:
>>>>>
>>>>>>> cougar <c0ugar7i8 at comcast.net> writes:
>>>>>>>
>
> [...]
>
>
>> Now I get messages like this...
>>
>
> Have you actually tried researching what those are yourself?
>
> Just in case, here is a quick primer on how to do it:
>
>
>> Aug 24 13:37:10 mercury IN-world: IN=eth1 OUT= MAC= SRC=68.45.214.101
>> DST=68.45.215.255 LEN=236 TOS=00 PREC=0x00 TTL=64 ID=230 DF PROTO=UDP
>> SPT=138 DPT=138 LEN=216
>>
>
> The 'SPT' and 'DPT' tell you which ports are involved.
>
> Usually, only the 'DPT' is meaningful, since the SPT is randomly
> assigned somewhere up in the 32,000+ range.
>
> Anyway, take the DPT number (138, in this case) and search the
> /etc/services file for it:
>
> ] egrep '\<138/' /etc/services
> netbios-dgm    138/tcp                # NETBIOS Datagram Service
> netbios-dgm    138/udp
>
> Then, apply Google to the protocol in question, to find out what it is
> and if you should care.
>
> Hint:  this is someone broadcasting a Windows networking packet.

Hehe. No, I was wondering why I am seeing these messages now that I'm  
using 'client dhcp accept'. It is
almost like stopping one set of replies unmasked another series of  
replies.

I'm getting a lot of weird requests or contact on eth1.

LIke this one just come in...

Aug 24 21:35:53 mercury IN-world: IN=eth1 OUT=  
MAC=00:10:5a:a4:58:62:00:01:5c:22:31:c2:08:00  SRC=218.92.11.40  
DST=68.45.214.101 LEN=518 TOS=00 PREC=0x20 TTL=40 ID=0 DF PROTO=UDP  
SPT=32897 DPT=1026 LEN=498
Aug 24 21:35:53 mercury IN-world: IN=eth1 OUT=  
MAC=00:10:5a:a4:58:62:00:01:5c:22:31:c2:08:00  SRC=218.92.11.40  
DST=68.45.214.101 LEN=518 TOS=00 PREC=0x20 TTL=40 ID=0 DF PROTO=UDP  
SPT=32897 DPT=1027 LEN=498

So did this...

Aug 24 21:45:22 mercury IN-world: IN=eth1 OUT=  
MAC=00:10:5a:a4:58:62:00:01:5c:22:31:c2:08:00  SRC=70.85.178.66  
DST=68.45.214.101 LEN=478 TOS=00 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP  
SPT=35343 DPT=1026 LEN=458
Aug 24 21:48:27 mercury IN-world: IN=eth1 OUT=  
MAC=00:10:5a:a4:58:62:00:01:5c:22:31:c2:08:00  SRC=218.92.11.43  
DST=68.45.214.101 LEN=518 TOS=00 PREC=0x20 TTL=39 ID=0 DF PROTO=UDP  
SPT=33003 DPT=1026 LEN=498

Looks like someone is trying to port scan me or contact me on that  
port. And that port seems to be associated with Windows Messenger  
service used by Pop-ups or something.

So, Daniel, accepting the dhcp service is allowing me to see these  
messages above. That would be my assumption.

>
> The suggested changes to the firewall shouldn't have caused name
> resolution to fail.  Take a look at your resolver setup, etc.

No, I just mean that it failed.

Rick





More information about the Firehol-support mailing list