CS MARS source ip 0.0.0.0

Answered Question
Jan 16th, 2007
User Badges:
  • Bronze, 100 points or more

Hi!


CS MARS reports with a source ip address of 0.0.0.0 and port number 0. What does this mean?


Thank you in advance!


Correct Answer by acomiskey about 10 years 7 months ago

Click on the Incident ID, something like I:########, this will give you the individual sessions which created the incident. Note the destination IP address. You can also hit the icon for "raw messages" under the "reporting device" column.

Correct Answer by acomiskey about 10 years 7 months ago

You can always click on event type which will give you a popup window with description of event.


Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
acomiskey Tue, 01/16/2007 - 08:51
User Badges:
  • Green, 3000 points or more

From what I can tell, it displays 0.0.0.0 because the event was not triggered by the inspection of a packet with source and destination address or the source/destination cannot be derived from the logged message. For example, the event "inactive reporting device" from Mars does not have a source address and therefore displays 0.0.0.0.


Is this correct?

Rejohn Ronald Cuares Tue, 01/16/2007 - 09:03
User Badges:
  • Bronze, 100 points or more

yeah your right, I received this alert with the event type - "inactive CS-MARS reporting device".


Can you explain further regarding this event type. Its not very clear with me.


Thank you very much for your fast response!

Correct Answer
acomiskey Tue, 01/16/2007 - 09:08
User Badges:
  • Green, 3000 points or more

You can always click on event type which will give you a popup window with description of event.


Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly.

Rejohn Ronald Cuares Tue, 01/16/2007 - 09:56
User Badges:
  • Bronze, 100 points or more

By simply clicking the event type I cannot determine which device/s is/are not functioning properly, then how will you know?


By selecting also the path information icon under the PATH column it's not stated there what device/s is/are down or not functioning properly.

Correct Answer
acomiskey Tue, 01/16/2007 - 10:05
User Badges:
  • Green, 3000 points or more

Click on the Incident ID, something like I:########, this will give you the individual sessions which created the incident. Note the destination IP address. You can also hit the icon for "raw messages" under the "reporting device" column.

Rejohn Ronald Cuares Tue, 01/16/2007 - 10:22
User Badges:
  • Bronze, 100 points or more

thank you buddy.. i saw the device that was not reporting.. i saw it under RAW MESSAGE.

acomiskey Tue, 01/16/2007 - 10:24
User Badges:
  • Green, 3000 points or more

Also, you will not see the PATH when the source/destination is 0.0.0.0 like we talked about above.

Actions

This Discussion