[CentOS] OT: what are all these probes from my firewall log????

Fri Aug 17 06:09:47 UTC 2012
John R Pierce <pierce at hogranch.com>

On 08/16/12 9:24 PM, Bobby wrote:
> On 08/17/2012 12:20 AM, John R Pierce wrote:
>
>> >the MAC address prefix on that DHCP thing is 00:23:EB which is
>> >Cisco...   and yes, ISP's frequently use private IP space for internal
>> >gateway networks.   they aren't routable on the public internet, they
>> >don't have to be, they are just used for routes within the ISP's WAN.
> Yup looks like the ISP is checking to see who's on.


you might just try something like...

     tcpdump -i eth0 -w udpdump.txt udp port 67 or udp port 68

and let that run for a few minutes, long enough to capture a few of 
these packets, then ctl-C it, and take that dumpfile and load it into 
wireshark (can do that on any system wireshark runs on) and see what it 
decodes the dhcp packets to actually be.

for instance, this is a DHCP 'renew' request (from the LAN side of my 
gateway)...

# tcpdump -i eth1 -vvv -n udp port 67 or udp port 68
tcpdump: listening on eth1
21:46:46.009596 192.168.0.136.bootpc > 192.168.0.1.bootps: 
xid:0x9fb275f6 C:192.168.0.136 [|bootp] (ttl 128, id 31970, len 339)
21:46:46.013544 192.168.0.1.bootps > 192.168.0.136.bootpc: 
xid:0x9fb275f6 C:192.168.0.136 Y:192.168.0.136 S:192.168.0.1 [|bootp] 
(ttl 64, id 16362, len 328)

2 packets received by filter
0 packets dropped by kernel


wireshark will do a much better job explaining the packets than tcpdump 
does.



-- 
john r pierce                            N 37, W 122
santa cruz ca                         mid-left coast