1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Weird log messages: user.warn kernel: DROP IN=vlan1?

Discussion in 'Tomato Firmware' started by Acejam2k, Oct 14, 2008.

  1. Acejam2k

    Acejam2k Addicted to LI Member

    Hey guys,

    I have Tomato 1.19 on my WRT54GL. Lately I've noticed that in the log's of my router, there are constant messages coming in.

    I have Comcast, and I'm located just outside of Boston, MA. It seems that the source IP address from the logs is a Comcast user/server. These messages have been coming in for about 3 months now, ever since I got the WRT54GL. (or rather, since I've flashed and started checking logs :) )

    Any ideas as to what these are? I'm running DHCP on both the WAN connection to my cable modem, and to my LAN.

    Code:
    Oct 13 20:05:06 tomato user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:be:fe:fb:05:08:00:45:00:01:7a SRC=96.145.116.1 DST=255.255.255.255 LEN=378 TOS=0x00 PREC=0x00 TTL=255 ID=30677 PROTO=UDP SPT=67 DPT=68 LEN=358 
    Oct 13 20:05:06 tomato user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:be:fe:fb:05:08:00:45:00:01:7a SRC=96.145.116.1 DST=255.255.255.255 LEN=378 TOS=0x00 PREC=0x00 TTL=255 ID=30680 PROTO=UDP SPT=67 DPT=68 LEN=358 
    Oct 13 20:05:11 tomato user.warn kernel: DROP IN=vlan1 OUT= MAC=00:21:29:68:75:62:00:1e:be:fe:fb:05:08:00:45:00:00:65 SRC=68.87.71.229 DST=98.229.131.211 LEN=101 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=2048 LEN=81 
    Oct 13 20:05:13 tomato user.warn kernel: DROP IN=vlan1 OUT= MAC=00:21:29:68:75:62:00:1e:be:fe:fb:05:08:00:45:00:00:ad SRC=68.87.71.227 DST=98.229.131.211 LEN=173 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=2048 LEN=153 
    
     
  2. humba

    humba Network Guru Member

    VLAN1 is your WAN.. so those are packets that are being dropped by your firewall (you wouldn't want to let everybody access your network after all.. so it's normal that you see those messages).
     
  3. Clovenhoof

    Clovenhoof Addicted to LI Member

    It seems that those packets were dropped because they are not standard packets. (the MAC-addresses in them are too long)
    Perhaps someone attempted to hack your router this way.
     
  4. Acejam2k

    Acejam2k Addicted to LI Member

    Hmmm...interesting.

    I do host a web server behind my router with 4 domain names pointing to it, but I hardly get any traffic :frown:

    Currently my logging settings are set to log all inbound traffic that is blocked by my firewall, and I guess these are the messages from that....

    It's very weird though as it's been constantly coming in full time for about 3 months now...perhaps I should call my ISP up and see what's going on. (Comcast)

    Thanks guys!
     

Share This Page