There are entries in the /var/log/messages file as shown below:
# tailf /var/log/messages Aug 22 11:08:21 server kernel: martian source 192.168.12.197 from 192.168.12.198, on dev eth0 Aug 22 11:08:21 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:11:c0:a8:0c:c6:c0:a8:0c:c5 Aug 22 11:08:22 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0 Aug 22 11:08:22 server kernel: ll header: 08:00:00:00:45:00:00:6c:00:00:40:00:40:11:9f:aa:c0:a8:0c:c6:c0:a8:0c:c0 Aug 22 12:11:27 server kernel: martian source 192.168.12.192 from 192.168.12.198, on dev eth0 Aug 22 12:11:27 server kernel: ll header: 08:00:00:00:45:00:01:00:00:00:40:00:40:11:9f:16:c0:a8:0c:c6:c0:a8:0c:c0
What Is A Martian Packet?
The IANA defines a Martian packet as one which arrives on an interface where the interface does not use that network. For Linux, it’s any packet that arrives on an interface which is not configured for that subnet in any way. Any martian packet notice should be investigated. Martian packets:
- Are frequently used in hacking intrusion.
- May be a symptom of a misconfigured server elsewhere on the network.
- May indicate a network infrastructure issue.
Reading a Martian Message
A martian source message is laid out as follows:
kernel: martian source [destination IP] from [source IP], on dev [interface packet arrived on] kernel: ll header: [destination MAC address]:[source MAC address]:[ethertype] (for ethernet)
For example, given the message:
kernel: martian source 192.168.0.1 from 192.168.0.255, on dev eth0 kernel: ll header: ff:ff:ff:ff:ff:ff:00:12:34:00:ab:cd:08:00
Destination IP: 192.168.0.1
Source IP: 192.168.0.255
Incoming interface: eth0
Destination MAC: ff:ff:ff:ff:ff:ff
Source MAC: 00:12:34:00:ab:cd
Ethertype: 0x0800 (IPv4)
Enabling Martian Messages
If configuration items in your /etc/sysctl.conf file has disabled Martial Message detection, they should be enabled and the sysctl program should be rerun. Some sample entries to check are:
# vi /etc/sysctl.conf net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 net.ipv4.conf.bondib0.log_martians=1
Martian source messages may indicate an issue with the network environment. You may wish to investigate:
- There are no layer 2 loops in the network: if the host sends a packet and then receives a copy of this packet back from the network, it will be logged as a martian
- There are no hosts transmitting traffic with a source IP which should not be used such as a multicast or broadcast IP
- The network addressing on all systems in the subnet is applied correctly and is valid, all hosts should have a valid IP address and the correct subnet mask (aka network prefix)