So..
have that latest rapian 32 bit up and running
Connected laptop, laptop has 'snort' to monitor ethernet
WHAT?

,,_ -*> Snort! <*-
o" )~ Version 2.6.0 (Build 59)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Not Using PCAP_FRAMES
05/31-15:40:41.290595 ARP who-has 8.8.4.4 tell 169.254.18.104

05/31-15:40:42.331043 ARP who-has 8.8.8.8 tell 169.254.18.104

05/31-15:53:25.018092 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:64 TOS:0x0 ID:21148 IpLen:20 DgmLen:370
Len: 342
01 01 06 00 00 71 EA 03 1D 3E 00 00 00 00 00 00 .....q...>......
00 00 00 00 00 00 00 00 00 00 00 00 DC A6 32 F0 ..............2.
59 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Y...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 ............c.Sc
35 01 01 3D 07 01 DC A6 32 F0 59 83 50 00 74 01 5..=....2.Y.P.t.
01 39 02 05 C0 3C 2E 64 68 63 70 63 64 2D 38 2E .9...<.dhcpcd-8.
31 2E 32 3A 4C 69 6E 75 78 2D 35 2E 31 35 2E 33 1.2:Linux-5.15.3
32 2D 76 37 6C 2B 3A 61 72 6D 76 37 6C 3A 42 43 2-v7l+:armv7l:BC
4D 32 37 31 31 0C 0B 72 61 73 70 62 65 72 72 79 M2711..raspberry
70 69 91 01 01 37 0E 01 79 21 03 06 0C 0F 1A 1C pi...7..y!......
33 36 3A 3B 77 FF 36:;w.




now leme get this straight, laptop has 192.168.178.20
Raspi has 192.168.178.1

WhoTF is 169.254.18.104???
So... I have ip_to_counry on my laptop:
panteltje20: ~ # ip_to_country -i 169.254.18.104
ip=169.254.18.104 (2852000360) "US" "UNITED STATES"

Strange, I am not connected to the internet, only to that raspi,
no switches in between either!
so for the ARP request to happen 169.254.18.104 must be on the LAN

~ # ping 169.254.18.104
PING 169.254.18.104 (169.254.18.104) 56(84) bytes of data.
64 bytes from 169.254.18.104: icmp_req=1 ttl=64 time=0.898 ms
..
Must be close, ifconfig -a of the raspberry shows no such IP
think think ... Could it be dhcpcd?
Killed dhcpcd (actually first renamed it and then killed it else dbooos just starts an other one..)
OK the ARP requests are now gone
So it seems dhcpcd poses as 169.254.18.104

But more strangeness
the 8.8.8.8 and 8.8.4.4 was what *I* entered in /etc/resolv.conf
cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4

those are the google name nameservers I use... work fine..
WTF does dhcpcd think those are on the LAN ???

It is such a mess....

And that mysterious UDP packet is clearly also from that raspi as it says Linux-5.15.3
but from IP address 0.0.0.0 port 68 to IP adress 255.255.255.255 port 67

also dhcpcd?
??

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Tue, 31 May 2022 14:07:51 +0000, Jan Panteltje wrote:

So..
have that latest rapian 32 bit up and running Connected laptop, laptop
has 'snort' to monitor ethernet WHAT?

,,_ -*> Snort! <*-
o" )~ Version 2.6.0 (Build 59)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Not Using PCAP_FRAMES 05/31-15:40:41.290595 ARP who-has 8.8.4.4 tell 169.254.18.104

05/31-15:40:42.331043 ARP who-has 8.8.8.8 tell 169.254.18.104

05/31-15:53:25.018092 0.0.0.0:68 -> 255.255.255.255:67 UDP TTL:64
TOS:0x0 ID:21148 IpLen:20 DgmLen:370 Len: 342 01 01 06 00 00 71 EA 03 1D
3E 00 00 00 00 00 00 .....q...>......
00 00 00 00 00 00 00 00 00 00 00 00 DC A6 32 F0 ..............2.
59 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Y...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 ............c.Sc 35 01
01 3D 07 01 DC A6 32 F0 59 83 50 00 74 01 5..=....2.Y.P.t.
01 39 02 05 C0 3C 2E 64 68 63 70 63 64 2D 38 2E .9...<.dhcpcd-8.
31 2E 32 3A 4C 69 6E 75 78 2D 35 2E 31 35 2E 33 1.2:Linux-5.15.3 32 2D
76 37 6C 2B 3A 61 72 6D 76 37 6C 3A 42 43 2-v7l+:armv7l:BC 4D 32 37 31
31 0C 0B 72 61 73 70 62 65 72 72 79 M2711..raspberry 70 69 91 01 01 37
0E 01 79 21 03 06 0C 0F 1A 1C pi...7..y!......
33 36 3A 3B 77 FF 36:;w.

now leme get this straight, laptop has 192.168.178.20 Raspi has
192.168.178.1

WhoTF is 169.254.18.104???

That's the link-local (traffic restricted to your subnet only)
Zeroconf IPv4 address
(see https://en.wikipedia.org/wiki/Zero-configuration_networking)
and is probably coming from Ahavi or whatever followed it (systemd?)
on the PI.

So... I have ip_to_counry on my laptop:
panteltje20: ~ # ip_to_country -i 169.254.18.104 ip=169.254.18.104 (2852000360) "US" "UNITED STATES"

Strange, I am not connected to the internet, only to that raspi,
no switches in between either!
so for the ARP request to happen 169.254.18.104 must be on the LAN

~ # ping 169.254.18.104
PING 169.254.18.104 (169.254.18.104) 56(84) bytes of data.
64 bytes from 169.254.18.104: icmp_req=1 ttl=64 time=0.898 ms ..
Must be close, ifconfig -a of the raspberry shows no such IP think think
... Could it be dhcpcd?
Killed dhcpcd (actually first renamed it and then killed it else dbooos
just starts an other one..)
OK the ARP requests are now gone So it seems dhcpcd poses as
169.254.18.104

Yes, it does. In order to service these Zeroconf queries.

But more strangeness the 8.8.8.8 and 8.8.4.4 was what *I* entered in /etc/resolv.conf cat /etc/resolv.conf nameserver 8.8.8.8 nameserver
8.8.4.4

those are the google name nameservers I use... work fine..
WTF does dhcpcd think those are on the LAN ???

Sounds like your dhcp server served up those addresses to the PI,
(check your dhcpd settings to see if it propagates DNS settings to it's clients) and the PI is looking for a route to them.

It is such a mess....

And that mysterious UDP packet is clearly also from that raspi as it
says Linux-5.15.3 but from IP address 0.0.0.0 port 68 to IP adress 255.255.255.255 port 67

also dhcpcd?

Actually, yes.

That's the PI quering DHCP (via the BOOTP protocol). Since, at that point,
the PI has no address, it uses 0.0.0.0 (and depends on the bootp/dhcp
server to determine who it is by it's MAC address), and it sends it's
query out to the network broadcast address (255.255.255.255). The
telltales are the ports: UDP port 67 is the bootp server port (see /etc/ services entry 67/udp) and UDP port 67 is the bootp client port (see /etc/ services entry 68/udp).


--
Lew Pitcher
"In Skills, We Trust"

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Tue, 31 May 2022 14:25:12 +0000, Lew Pitcher wrote:

On Tue, 31 May 2022 14:07:51 +0000, Jan Panteltje wrote:

So..
have that latest rapian 32 bit up and running Connected laptop, laptop
has 'snort' to monitor ethernet WHAT?

,,_ -*> Snort! <*-
o" )~ Version 2.6.0 (Build 59)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Not Using PCAP_FRAMES 05/31-15:40:41.290595 ARP who-has 8.8.4.4 tell
169.254.18.104

05/31-15:40:42.331043 ARP who-has 8.8.8.8 tell 169.254.18.104

05/31-15:53:25.018092 0.0.0.0:68 -> 255.255.255.255:67 UDP TTL:64
TOS:0x0 ID:21148 IpLen:20 DgmLen:370 Len: 342 01 01 06 00 00 71 EA 03
1D 3E 00 00 00 00 00 00 .....q...>......
00 00 00 00 00 00 00 00 00 00 00 00 DC A6 32 F0 ..............2.
59 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Y...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 ............c.Sc 35 01
01 3D 07 01 DC A6 32 F0 59 83 50 00 74 01 5..=....2.Y.P.t.
01 39 02 05 C0 3C 2E 64 68 63 70 63 64 2D 38 2E .9...<.dhcpcd-8.
31 2E 32 3A 4C 69 6E 75 78 2D 35 2E 31 35 2E 33 1.2:Linux-5.15.3 32 2D
76 37 6C 2B 3A 61 72 6D 76 37 6C 3A 42 43 2-v7l+:armv7l:BC 4D 32 37 31
31 0C 0B 72 61 73 70 62 65 72 72 79 M2711..raspberry 70 69 91 01 01 37
0E 01 79 21 03 06 0C 0F 1A 1C pi...7..y!......
33 36 3A 3B 77 FF 36:;w.




now leme get this straight, laptop has 192.168.178.20 Raspi has
192.168.178.1

WhoTF is 169.254.18.104???

That's the link-local (traffic restricted to your subnet only)
Zeroconf IPv4 address (see https://en.wikipedia.org/wiki/Zero-configuration_networking)
and is probably coming from Ahavi or whatever followed it (systemd?)
on the PI.

So... I have ip_to_counry on my laptop:
panteltje20: ~ # ip_to_country -i 169.254.18.104 ip=169.254.18.104
(2852000360) "US" "UNITED STATES"

Strange, I am not connected to the internet, only to that raspi,
no switches in between either!
so for the ARP request to happen 169.254.18.104 must be on the LAN

~ # ping 169.254.18.104
PING 169.254.18.104 (169.254.18.104) 56(84) bytes of data.
64 bytes from 169.254.18.104: icmp_req=1 ttl=64 time=0.898 ms ..
Must be close, ifconfig -a of the raspberry shows no such IP think
think ... Could it be dhcpcd?
Killed dhcpcd (actually first renamed it and then killed it else dbooos
just starts an other one..)
OK the ARP requests are now gone So it seems dhcpcd poses as
169.254.18.104

Yes, it does. In order to service these Zeroconf queries.

But more strangeness the 8.8.8.8 and 8.8.4.4 was what *I* entered in
/etc/resolv.conf cat /etc/resolv.conf nameserver 8.8.8.8 nameserver
8.8.4.4

those are the google name nameservers I use... work fine..
WTF does dhcpcd think those are on the LAN ???

Sounds like your dhcp server served up those addresses to the PI,
(check your dhcpd settings to see if it propagates DNS settings to it's clients) and the PI is looking for a route to them.

It is such a mess....

And that mysterious UDP packet is clearly also from that raspi as it
says Linux-5.15.3 but from IP address 0.0.0.0 port 68 to IP adress
255.255.255.255 port 67

also dhcpcd?

Actually, yes.

That's the PI quering DHCP (via the BOOTP protocol). Since, at that
point,
the PI has no address, it uses 0.0.0.0 (and depends on the bootp/dhcp
server to determine who it is by it's MAC address), and it sends it's
query out to the network broadcast address (255.255.255.255). The
telltales are the ports: UDP port 67 is the bootp server port (see /etc/ services entry 67/udp) and UDP port 67 is the bootp client port (see

Sorry. Typo. Should be "and UDP port 68 is the bootp client port"

/etc/
services entry 68/udp).

--
Lew Pitcher
"In Skills, We Trust"

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The way I go 'online' with this pi is with a Huawei 4G USB stick,
it is assigned an ethernet eth1 at 192.168.8.100 by dhcpcd
and you can then set your browser to 192.168.178.1 to set the link on/off.

ehh typo, should be browser to 192.168.8.1

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On a sunny day (Tue, 31 May 2022 14:25:12 -0000 (UTC)) it happened Lew Pitcher <lew.pitcher@digitalfreehold.ca> wrote in <t758g8$s9q$1@dont-email.me>:

....

/etc/resolv.conf cat /etc/resolv.conf nameserver 8.8.8.8 nameserver
8.8.4.4

those are the google name nameservers I use... work fine..
WTF does dhcpcd think those are on the LAN ???

Sounds like your dhcp server served up those addresses to the PI,
(check your dhcpd settings to see if it propagates DNS settings to it's >clients) and the PI is looking for a route to them.

dhcp server assigned some 192.168.178.1 IIR address in /etc/resolv.conf

That seems to block website rt.com
However the google nameservers 8.8.8.8 and 8.8.4.4 work for that site..

The way I go 'online' with this pi is with a Huawei 4G USB stick,
it is assigned an ethernet eth1 at 192.168.8.100 by dhcpcd
and you can then set your browser to 192.168.178.1 to set the link on/off.
This works great (I have a 10 GB / month subcription from KPN).

I have used iptables to configure this pi as router on 192,168.178.1,
so when connected I can use internet from any thing on the LAN via it.

Many thanks for the explanations BTW!

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Tue, 31 May 2022 14:07:51 GMT, Jan Panteltje
<pNaonStpealmtje@yahoo.com> wrote:

WhoTF is 169.254.18.104?

https://www.auvik.com/franklyit/blog/special-ip-address-ranges/
--
Kees Nuyt

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)