• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Why Does “/var/log/messages” Report Martian Packets

By admin

There are entries in the /var/log/messages file as shown below:

# tailf /var/log/messages
Aug 22 11:08:21 server kernel: martian source 192.168.12.197 from 192.168.12.198, on dev eth0
Aug 22 11:08:21 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:11:c0:a8:0c:c6:c0:a8:0c:c5
Aug 22 11:08:22 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 11:08:22 server kernel: ll header: 08:00:00:00:45:00:00:6c:00:00:40:00:40:11:9f:aa:c0:a8:0c:c6:c0:a8:0c:c0
Aug 22 12:11:27 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 12:11:27 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:16:c0:a8:0c:c6:c0:a8:0c:c0

What Is A Martian Packet?

The IANA defines a Martian packet as one which arrives on an interface where the interface does not use that network. For Linux, it’s any packet that arrives on an interface which is not configured for that subnet in any way. Any martian packet notice should be investigated. Martian packets:

  • Are frequently used in hacking intrusion.
  • May be a symptom of a misconfigured server elsewhere on the network.
  • May indicate a network infrastructure issue.

Reading a Martian Message

A martian source message is laid out as follows:

kernel: martian source [destination IP] from [source IP], on dev [interface packet arrived on]
kernel: ll header: [destination MAC address]:[source MAC address]:[ethertype]  (for ethernet)

For example, given the message:

kernel: martian source 192.168.0.1 from 192.168.0.255, on dev eth0
kernel: ll header: ff:ff:ff:ff:ff:ff:00:12:34:00:ab:cd:08:00

Here,
Destination IP: 192.168.0.1
Source IP: 192.168.0.255
Incoming interface: eth0
Destination MAC: ff:ff:ff:ff:ff:ff
Source MAC: 00:12:34:00:ab:cd
Ethertype: 0x0800 (IPv4)

Enabling Martian Messages

If configuration items in your /etc/sysctl.conf file has disabled Martial Message detection, they should be enabled and the sysctl program should be rerun. Some sample entries to check are:

# vi /etc/sysctl.conf
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.bondib0.log_martians=1

Conclusion

Martian source messages may indicate an issue with the network environment. You may wish to investigate:

  • There are no layer 2 loops in the network: if the host sends a packet and then receives a copy of this packet back from the network, it will be logged as a martian
  • There are no hosts transmitting traffic with a source IP which should not be used such as a multicast or broadcast IP
  • The network addressing on all systems in the subnet is applied correctly and is valid, all hosts should have a valid IP address and the correct subnet mask (aka network prefix)

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. The System Continuously Displayed the Error Message from the “avahi-demon” in /var/log/messages
  2. CentOS/RHEL 6 Kernel Panic – “Out of memory” kernel parameter panic_on_oom is enabled
  3. How to Transfer files securely using SCP Command in Linux
  4. CentOS / RHEL : DNS servers in /etc/resolv.conf change after a reboot/network service restart. How to make them permanent
  5. CentOS / RHEL 7 : sysctl kernel parameter doesn’t take effect after reboot
  6. Understanding /proc/meminfo file (Analyzing Memory utilization in Linux)
  7. Understanding the /etc/skel directory in Linux
  8. How to configure Partitioned Block Devices (Non-ASMLIB) And Assign Them To ASM
  9. Configuring Network Redundancy for PaceMaker Cluster Communication
  10. How to make alias command work in bash script or bashrc file

You May Also Like

Primary Sidebar

Recent Posts

  • How to set the default character set in MySQL and how to propagate it in a master-master replication scenario
  • “Connection reset by peer” – error while ssh into a CentOS/RHEL system with a specific user only
  • MySQL: how to figure out which session holds which table level or global read locks
  • Recommended Configuration of the MySQL Performance Schema
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary