Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Routing 127.0.0.1!? strange errors

0 views
Skip to first unread message

Sag

unread,
Jan 24, 2008, 9:46:58 AM1/24/08
to
Maybe somebody can shed some light on this. I have a 3845 router, with
interfaces as follows:

10.35.33.0/24 -> fast 1/14
10.35.49.0/24 -> fast 1/13

I am seeing a lot of rejects and errors. It seems that we are trying
to route packets from the 127.0.0.1 network (RSTs to port 80
connections), but I'm stumped as to how those packets could even leave
the requesting pc. Any ideas/pointers?

Jan 24 14:40:41.421: IP: s=127.0.0.1 (FastEthernet1/0), d=10.35.33.167
(FastEthernet1/14), g=10.35.33.167, len 40, forward
Jan 24 14:40:41.421: TCP src=80, dst=1936, seq=0, ack=707002369,
win=0 ACK RST
Jan 24 14:40:41.421: IP: s=127.0.0.1 (FastEthernet1/0), d=10.35.33.167
(FastEthernet1/14), len 40, encapsulation failed
Jan 24 14:40:41.421: TCP src=80, dst=1936, seq=0, ack=707002369,
win=0 ACK RST
Jan 24 14:40:42.361: IP: tableid=0, s=127.0.0.1 (FastEthernet1/0),
d=10.35.49.109 (FastEthernet1/13), routed via RIB
Jan 24 14:40:42.361: %SEC-6-IPACCESSLOGP: list filtrado-outbound-ota
denied tcp 127.0.0.1(80) -> 10.35.49.109(1001), 1 packet
Jan 24 14:40:42.361: IP: s=127.0.0.1 (FastEthernet1/0), d=10.35.49.109
(FastEthernet1/13), len 40, access denied
Jan 24 14:40:42.361: TCP src=80, dst=1001, seq=0, ack=1821245441,
win=0 ACK RST

turnip

unread,
Jan 25, 2008, 8:42:55 PM1/25/08
to

Maybe a PC with a missing entry in its host file ?

Thrill5

unread,
Jan 25, 2008, 10:18:50 PM1/25/08
to

"turnip" <jza...@gmail.com> wrote in message
news:1246223e-a70b-4091...@v29g2000hsf.googlegroups.com...
A missing host entry file would result in a DNS query not a packet being
sent out the interface. Get the MAC address of the 127.0.0.1 entry with a
"show arp" and the go to then track the MAC address to the correct port on
the switch with a "show mac-address-table" and then trace the cable to the
PC. You might find another IP address with the same MAC in the arp table,
which would be the real IP of the PC. I suspect you have a PC with a virus
on it.


Bo...@hotmail.co.uk

unread,
Jan 27, 2008, 5:46:40 AM1/27/08
to
On 26 Jan, 03:18, "Thrill5" <nos...@somewhere.com> wrote:
> "turnip" <jzak...@gmail.com> wrote in message
> on it.- Hide quoted text -

Virus seems reasonable.

127.0.0.1 should never appear as a real address in packets.
This suggests a misbehaving device. Tracking it down by
mac though may be tricky since I doubt that the sending
device will respond to arp on that address.
If there are no arp entries you will have to find another way
to track the source.

does "deb ip pack det" show the mac addresses?
I forget.

Even then you will only see the mac for the next hop
and will need to repeat the exercise back through the network.

Sag

unread,
Jan 28, 2008, 9:44:45 AM1/28/08
to
On Jan 27, 7:46 am, Bo...@hotmail.co.uk wrote:

> 127.0.0.1 should never appear as a real address in packets.
> This suggests a misbehaving device. Tracking it down by
> mac though may be tricky since I doubt that the sending
> device will respond to arp on that address.


Bingo. A "sh arp | inc 127.0.0.1" does not show anything.

> If there are no arp entries you will have to find another way
> to track the source.

It'a a remote location (>160km), I guess I'll have to head there with
a laptop and wireshark.

>
> does "deb ip pack det" show the mac addresses?
> I forget.

Nop.

> Even then you will only see the mac for the next hop
> and will need to repeat the exercise back through the network.

Thanks to everybody for the input and suggestions!


0 new messages