• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Why Does “/var/log/messages” Report Martian Packets

by admin

There are entries in the /var/log/messages file as shown below:

# tailf /var/log/messages
Aug 22 11:08:21 server kernel: martian source 192.168.12.197 from 192.168.12.198, on dev eth0
Aug 22 11:08:21 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:11:c0:a8:0c:c6:c0:a8:0c:c5
Aug 22 11:08:22 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 11:08:22 server kernel: ll header: 08:00:00:00:45:00:00:6c:00:00:40:00:40:11:9f:aa:c0:a8:0c:c6:c0:a8:0c:c0
Aug 22 12:11:27 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0
Aug 22 12:11:27 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:16:c0:a8:0c:c6:c0:a8:0c:c0

What Is A Martian Packet?

The IANA defines a Martian packet as one which arrives on an interface where the interface does not use that network. For Linux, it’s any packet that arrives on an interface which is not configured for that subnet in any way. Any martian packet notice should be investigated. Martian packets:

  • Are frequently used in hacking intrusion.
  • May be a symptom of a misconfigured server elsewhere on the network.
  • May indicate a network infrastructure issue.

Reading a Martian Message

A martian source message is laid out as follows:

kernel: martian source [destination IP] from [source IP], on dev [interface packet arrived on]
kernel: ll header: [destination MAC address]:[source MAC address]:[ethertype]  (for ethernet)

For example, given the message:

kernel: martian source 192.168.0.1 from 192.168.0.255, on dev eth0
kernel: ll header: ff:ff:ff:ff:ff:ff:00:12:34:00:ab:cd:08:00

Here,
Destination IP: 192.168.0.1
Source IP: 192.168.0.255
Incoming interface: eth0
Destination MAC: ff:ff:ff:ff:ff:ff
Source MAC: 00:12:34:00:ab:cd
Ethertype: 0x0800 (IPv4)

Enabling Martian Messages

If configuration items in your /etc/sysctl.conf file has disabled Martial Message detection, they should be enabled and the sysctl program should be rerun. Some sample entries to check are:

# vi /etc/sysctl.conf
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.bondib0.log_martians=1

Conclusion

Martian source messages may indicate an issue with the network environment. You may wish to investigate:

  • There are no layer 2 loops in the network: if the host sends a packet and then receives a copy of this packet back from the network, it will be logged as a martian
  • There are no hosts transmitting traffic with a source IP which should not be used such as a multicast or broadcast IP
  • The network addressing on all systems in the subnet is applied correctly and is valid, all hosts should have a valid IP address and the correct subnet mask (aka network prefix)

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL : How to Enable SSL For Apache
  2. How to change the default permissions on /var/log/audit/audit.log file in CentOS/RHEL
  3. CentOS / RHEL 7 : Lock User Account After N Number of Incorrect Login Attempts
  4. pvresize Command Examples in Linux
  5. Adding Static Routes On Various *NIX (Linux,AIX,HP-UX)
  6. CentOS / RHEL 7 : Unable To Start The Samba Service
  7. Understanding SELinux Booleans
  8. pvscan Command Examples in Linux
  9. Images preview with ngx_http_image_filter_module
  10. How To Separate Each Of Syslog Client’s Messages Into Different File (CentOS/RHEL 6 and 7)

You May Also Like

Primary Sidebar

Recent Posts

  • What are /dev/zero and /dev/null files in Linux
  • grpck command – Remove corrupt or duplicate entries in the /etc/group and /etc/gshadow files.
  • xxd command – Expressed in hexadecimal form
  • sesearch: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright