Security Basics mailing list archives

Re: anyone who saw this arp traffic?

From: Ankush Kapoor <everbeeninlove () gmail com>
Date: Sun, 27 Feb 2005 06:27:03 +0530

Have seen similar ARP broadcasts when windows machines on our network
got hit by worms.
Which worms i dont quite remember. Perhaps blaster.

regards

Ankush Kapoor


On Wed, 23 Feb 2005 01:40:43 +0000, Monty Ree <chulmin2 () hotmail com> wrote:

Hello, all.

When I capture network traffic at server farm,I can see lots of arp
broadcast like below.
But there is no server which use 172.16.x.x ip address.
and curiously,

1. source ip and destination ip is same
2. more curiously, same traffic(source mac:0:10:dc:f1:f7:64 , source
ip:172.16.97.157) is seen at my office.
3. I can also see this traffic(source mac:0:10:dc:f1:f7:64 , source
ip:172.16.97.157 ) at other IDC.

Have you ever seen this traffic?

Thanks in advance.

10:15:26.759069 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
172.16.97.157 (Broadcast) tell 172.16.97.157
10:15:26.803792 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
(Broadcast) tell 172.16.100.103
10:15:26.955878 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
(Broadcast) tell 172.16.100.103
10:15:26.967737 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
172.16.97.157 (Broadcast) tell 172.16.97.157

_________________________________________________________________
고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
http://www.msn.co.kr/love/

Current thread:

RE: anyone who saw this arp traffic? dissolved (Feb 28)
- <Possible follow-ups>
- Re: anyone who saw this arp traffic? Ankush Kapoor (Feb 28)
- RE: anyone who saw this arp traffic? Andrew Shore (Feb 28)
- RE: anyone who saw this arp traffic? Amit Ronen (Mar 02)
- RE: anyone who saw this arp traffic? Badger, Jared (Mar 03)
- Re: anyone who saw this arp traffic? Viktor Vesely (Mar 03)
  - Re: anyone who saw this arp traffic? L. Walker (Mar 04)