• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

HowTos | Basics | Concepts

  • Solaris
    • Solaris 11
    • SVM
    • ZFS
    • Zones
    • LDOMs
    • Hardware
  • Linux
    • CentOS/RHEL 7
    • RHCSA notes
    • SuSE Linux Enterprise
    • Linux Services
  • VCS
    • VxVM
  • Interview Questions
  • oracle
    • ASM
    • mysql
    • RAC
    • oracle 12c
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Hadoop
    • Hortonworks HDP
      • HDPCA
    • Cloudera
      • CCA 131

Why Does “/var/log/messages” Report Martian Packets

By admin

There are entries in the /var/log/messages file as shown below:

# tailf /var/log/messages
Aug 22 11:08:21 server kernel: martian source 192.168.12.197 from 192.168.12.198, on dev eth0
Aug 22 11:08:21 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:11:c0:a8:0c:c6:c0:a8:0c:c5
Aug 22 11:08:22 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 11:08:22 server kernel: ll header: 08:00:00:00:45:00:00:6c:00:00:40:00:40:11:9f:aa:c0:a8:0c:c6:c0:a8:0c:c0
Aug 22 12:11:27 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 12:11:27 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:16:c0:a8:0c:c6:c0:a8:0c:c0

What Is A Martian Packet?

The IANA defines a Martian packet as one which arrives on an interface where the interface does not use that network. For Linux, it’s any packet that arrives on an interface which is not configured for that subnet in any way. Any martian packet notice should be investigated. Martian packets:

  • Are frequently used in hacking intrusion.
  • May be a symptom of a misconfigured server elsewhere on the network.
  • May indicate a network infrastructure issue.

Reading a Martian Message

A martian source message is laid out as follows:

kernel: martian source [destination IP] from [source IP], on dev [interface packet arrived on]
kernel: ll header: [destination MAC address]:[source MAC address]:[ethertype]  (for ethernet)

For example, given the message:

kernel: martian source 192.168.0.1 from 192.168.0.255, on dev eth0
kernel: ll header: ff:ff:ff:ff:ff:ff:00:12:34:00:ab:cd:08:00

Here,
Destination IP: 192.168.0.1
Source IP: 192.168.0.255
Incoming interface: eth0
Destination MAC: ff:ff:ff:ff:ff:ff
Source MAC: 00:12:34:00:ab:cd
Ethertype: 0x0800 (IPv4)

Enabling Martian Messages

If configuration items in your /etc/sysctl.conf file has disabled Martial Message detection, they should be enabled and the sysctl program should be rerun. Some sample entries to check are:

# vi /etc/sysctl.conf
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.bondib0.log_martians=1

Conclusion

Martian source messages may indicate an issue with the network environment. You may wish to investigate:

  • There are no layer 2 loops in the network: if the host sends a packet and then receives a copy of this packet back from the network, it will be logged as a martian
  • There are no hosts transmitting traffic with a source IP which should not be used such as a multicast or broadcast IP
  • The network addressing on all systems in the subnet is applied correctly and is valid, all hosts should have a valid IP address and the correct subnet mask (aka network prefix)

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. Oracle Database Environment Variables and Their Functions
  2. How to Run SCP Without Password Prompt Interruption in Linux
  3. How to use auditd to monitor a file deletion in Linux
  4. How to Re-Balance BTRFS to Free Disk Space
  5. Understanding Variables in Bash Shell Under Linux
  6. How To Send Mails To an External User With Mailx on Linux
  7. iSCSI connection command examples (Cheat Sheet)
  8. CentOS / RHEL 7 : How to check the status of a service using systemd
  9. How to create LXC container using lxcbr0 and virbr0 in CentOS/RHEL
  10. How to configure NTP server and client in CentOS / RHEL 7

You May Also Like

Primary Sidebar

Recent Posts

  • How to Configure Network Namespaces in Docker Containers
  • How to change the default IP address of docker bridge
  • “su: Authentication failure” – in Docker
  • How to Pause and Resume Docker Containers
  • How to find docker storage device and its size (device mapper storage driver)
  • Archives
  • Contact Us
  • Copyright

© 2019 · The Geek Diary