Q: I was browsing through my linux box logs yesterday and came across the following lines. My ISP is Charter and those IPs back from the ARIN whois to belong to ATT, so they are outside my network. Im just curious what these errors. I have google and come up with conflicting answers. The NAT box does when it makes a difference. I deleted from the last octet.
Sep house 2 11:46:49 john kernel: 12.123.196.xxx an invalid ICMP error to a house broadcast.
Sep 2 11:46:55 john kernel: 12.122.12.xx an invalid ICMP error to a broadcast.
Sep February 1911: 47:01 john house kernel: 12.122.12.xx an invalid ICMP error to a broadcast.
Sep 2 11:47:36 john house nagios: Auto-save of retention data completed successfully.
Sep 2 john 11:47:39 house kernel: 12,125 .74. xx an invalid ICMP error to a house broadcast.
Sep 2 11:47:45 john kernel: 12.122.12.xx an invalid ICMP error to a broadcast.
Re:We got some NAS equipment in that does that all the time, I never looked at the entire frame either.
If it's still doing it at work tomorrow I'll try to post some tcpdump output for ya to look at.
Re:Originally posted by: guy
I'd like to see the entire frame. Never heard of this before and I'm what you would call an ICMP expert.
It shouldn't actually be a broadcast destination address 'cause the router wouldn't forward them unless really fubarred in configuration. can you tell ICMP type code and post the entire frame? Hex would be fine as I can read it just fine.
<—built in spidey snorter sniffer 
I'd love to share it with you, but sadly I don't think I have it unless the kernel logs them somewhere I don't know about or something I'm going to work this afternoon on getting snort running though so I can capture neat things that happen 
Re:I'd like to see the entire frame. Never heard of this before and I'm what you would call an ICMP expert.
It shouldn't actually be a broadcast destination address 'cause the router wouldn't forward them unless really fubarred in configuration. can you tell ICMP type code and post the entire frame? Hex would be fine as I can read it just fine.
<—built in spidey snorter sniffer
Re:Originally posted by: guy
Those are the only entries I have with this actually. I've installed snort, I just haven't had a chance to set it up and play with it yet.
Actually to hell with hiding the IP, its not like they're not public to begin with, here's an nslookup for them.
Name: gar1-p3100.dlrtx.ip.att.net
Address: 12.123.196.101
Name: gbr1-p70.dlstx.ip.att.net
Address: 12.122.12.78
can't find 12.125.74.69: Non-existent host/domain
Name: ggr1-p380.dlstx.ip.att.net
Address: 12.122.12.94
If I keep seeing this I will fire up snort or tcpdump to do some capturing. Since this was over 24 ago though I'm guessing its done. Would you just say something misconfigured? I can't make anything out of those names
If you only see a couple of them, and nothing seems to be wrong, I would definitely say fluke. Whether that is a misconfiguration or what I cant say with any real certainty, but thats what I would chalk it up to 
Re:Those are the only entries I have with this actually. I've installed snort, I just haven't had a chance to set it up and play with it yet.
Actually to hell with hiding the IP, its not like they're not public to begin with, here's an nslookup for them.
Name: gar1-p3100.dlrtx.ip.att.net
Address: 12.123.196.101
Name: gbr1-p70.dlstx.ip.att.net
Address: 12.122.12.78
can't find 12.125.74.69: Non-existent host/domain
Name: ggr1-p380.dlstx.ip.att.net
Address: 12.122.12.94
If I keep seeing this I will fire up snort or tcpdump to do some capturing. Since this was over 24 ago though I'm guessing its done. Would you just say something misconfigured? I can't make anything out of those names
Re:Do an nslookup on the ips. If they look like they are client connections (someone on ATT's cable network) its probably a misconfigured piece of software/hardware. You could also try running snort or tcpdump looking for those ip addresses to get a better feel of whats coming across the wire. Ethereal is a great program to decode packets you pick up in tcpdump too
0 Comments.