• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Why Does “/var/log/messages” Report Martian Packets

by admin

There are entries in the /var/log/messages file as shown below:

# tailf /var/log/messages
Aug 22 11:08:21 server kernel: martian source 192.168.12.197 from 192.168.12.198, on dev eth0
Aug 22 11:08:21 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:11:c0:a8:0c:c6:c0:a8:0c:c5
Aug 22 11:08:22 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 11:08:22 server kernel: ll header: 08:00:00:00:45:00:00:6c:00:00:40:00:40:11:9f:aa:c0:a8:0c:c6:c0:a8:0c:c0
Aug 22 12:11:27 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 12:11:27 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:16:c0:a8:0c:c6:c0:a8:0c:c0

What Is A Martian Packet?

The IANA defines a Martian packet as one which arrives on an interface where the interface does not use that network. For Linux, it’s any packet that arrives on an interface which is not configured for that subnet in any way. Any martian packet notice should be investigated. Martian packets:

  • Are frequently used in hacking intrusion.
  • May be a symptom of a misconfigured server elsewhere on the network.
  • May indicate a network infrastructure issue.

Reading a Martian Message

A martian source message is laid out as follows:

kernel: martian source [destination IP] from [source IP], on dev [interface packet arrived on]
kernel: ll header: [destination MAC address]:[source MAC address]:[ethertype]  (for ethernet)

For example, given the message:

kernel: martian source 192.168.0.1 from 192.168.0.255, on dev eth0
kernel: ll header: ff:ff:ff:ff:ff:ff:00:12:34:00:ab:cd:08:00

Here,
Destination IP: 192.168.0.1
Source IP: 192.168.0.255
Incoming interface: eth0
Destination MAC: ff:ff:ff:ff:ff:ff
Source MAC: 00:12:34:00:ab:cd
Ethertype: 0x0800 (IPv4)

Enabling Martian Messages

If configuration items in your /etc/sysctl.conf file has disabled Martial Message detection, they should be enabled and the sysctl program should be rerun. Some sample entries to check are:

# vi /etc/sysctl.conf
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.bondib0.log_martians=1

Conclusion

Martian source messages may indicate an issue with the network environment. You may wish to investigate:

  • There are no layer 2 loops in the network: if the host sends a packet and then receives a copy of this packet back from the network, it will be logged as a martian
  • There are no hosts transmitting traffic with a source IP which should not be used such as a multicast or broadcast IP
  • The network addressing on all systems in the subnet is applied correctly and is valid, all hosts should have a valid IP address and the correct subnet mask (aka network prefix)

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How to Install Oracle Linux (UEK-2) with btrfs as a root filesystem
  2. What is the difference between insmod and modprobe
  3. What is the purpose of “mysql.sys@localhost” user
  4. Error: Can’t open display: hostname:x.y when running xclock
  5. pdfxup Command Examples in Linux
  6. Understanding The /proc File System
  7. Linux OS Service ‘psacct’
  8. “comm” Command in Linux with Examples
  9. CentOS / RHEL 7 : How to Modify GRUB2 Arguments with grubby
  10. pacman –files Command Examples

You May Also Like

Primary Sidebar

Recent Posts

  • powertop Command Examples in Linux
  • powertop: command not found
  • powerstat: command not found
  • powerstat Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright