On Ubuntu 16.04 and 18.04 servers, in the /var/log/syslog file, there are often Martian source messages like:
Aug 23 06:42:51 scilit-solr kernel: [5417098.171549] IPv4: martian source 255.255.255.255 from 192.168.0.239, on dev bond0
Aug 23 06:42:51 scilit-solr kernel: [5417098.171565] ll header: 00000000: ff ff ff ff ff ff 00 8e f2 4e 0e 67 08 00 .........N.g..
How to find out who is trying to communicate on an subnet? I tried to run:
sudo tcpdump -i bond0 host 192.168.0.239
And got this:
06:46:41.750645 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.750790 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.754853 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.754981 ARP, Request who-has 192.168.0.239 tell 192.168.0.239, length 46
06:46:41.759720 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:41.759865 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:46.081698 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:46.081836 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:52.414603 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:46:52.414749 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:03.750032 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:03.750170 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:26.089927 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
06:47:26.090082 IP 192.168.0.239.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:8e:f2:4e:0e:67 (oui Unknown), length 253
The goal would be to identify the device who often sends the who-has and fix it's IP and subnet.
Was able to figure this out, not the best way, but results are there.
I changed the IP address of one of the interfaces and tried first an SSH login, didn't worked. Then tried curl, and got a page, it was our Netgear GS716Tv2 switch with it's default configured IP address. I will change it soon and the problem should be solved.