Subject: Re: ARP
To: Rimantas Petrauskas <rimantas@remo.lt>
From: Ignatios Souvatzis <is@netbsd.org>
List: tech-net
Date: 03/31/2006 13:07:17
--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Mar 31, 2006 at 01:53:43PM +0300, Rimantas Petrauskas wrote:
> Hello,
>=20
> i've got a question to ask.
>=20
> Command "tcpdump -i wm0 -n arp" gives me the following output:
> .....
> 2006-03-31 07:52:08.858034 arp who-has 0.0.0.0 tell 88.xx.xx.xx
> 2006-03-31 07:52:08.858604 arp who-has 0.0.0.0 tell 88.xx.xx.xx
All the same xx..xx.xx, or different? Anyway - this looks like=20
backscatter from a misconfigured (or attacking) machine that contacts
the 88.xx.xx.xx using 0.0.0.0 as the source address. Or maybe 0.0.0.0
crept in as the name server address of some machine?
E.g. a machine failing to get an address via bootp, but not noticing=20
the failure ;-)
go to one of the 88.xx.xx.xx, run tcpdump there, and add -e so that
you see the ethernet source address of the request that triggered the
response that requires the arp. Before you do that, check /etc/hosts
and similar stuff for an entry with 0.0.0.0.
Regards,
-is
--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (NetBSD)
iD8DBQFELQ1kN4tiz3B8hB0RAmbRAKCjSGPimVILVwHrLm8J/x7fKpdC1wCgjltK
GfuAPQMcWqA9ro8zEIUi/NA=
=EtqJ
-----END PGP SIGNATURE-----
--UlVJffcvxoiEqYs2--