在 Ubuntu 16.04 和 18.04 服务器上,在 /var/log/syslog 文件中,经常会出现如下的 Martian 源消息:
Aug 23 06:42:51 scilit-solr kernel: [5417098.171549] IPv4: martian source 255.255.255.255 from 192.168.0.239, on dev bond0
Aug 23 06:42:51 scilit-solr kernel: [5417098.171565] ll header: 00000000: ff ff ff ff ff ff 00 8e f2 4e 0e 67 08 00 .........N.g..
如何找出谁在尝试在子网上进行通信?我尝试运行:
sudo tcpdump -i bond0 host 192.168.0.239
并得到这个:
06:46:41.750645 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.750790 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.754853 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.754981 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.759720 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:41.759865 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:46.081698 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:46.081836 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:52.414603 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:52.414749 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:03.750032 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:03.750170 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:26.089927 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:26.090082 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
目标是识别经常发送 who-has 的设备并修复其 IP 和子网。
答案1
能够解决这个问题,虽然不是最好的方法,但结果还是有的。
我更改了其中一个接口的 IP 地址,并首先尝试了 SSH 登录,但没有成功。然后尝试了 curl,得到了一个页面,它是我们的 Netgear GS716Tv2 交换机,其默认配置了 IP 地址。我很快就会更改它,问题应该会解决。