Security Basics mailing list archives
RE: anyone who saw this arp traffic?
From: "Badger, Jared" <Jared.Badger () acs-inc com>
Date: Wed, 2 Mar 2005 17:33:02 -0700
Amit, This is called a "gratuitous ARP". Stations will often do this to check if an address is in use before accepting a DHCP lease. Use your protocol analyzer to see if this ARP behavior coincides with DHCP. Not sure why you're seeing it on multiple links or why stuff from 172.16.x.x is showing up on a network where it doesn't belong... -Jared Badger PS. Here is the info for that MAC address. 00-10-DC (hex) MICRO-STAR INTERNATIONAL CO., LTD. 0010DC (base 16) MICRO-STAR INTERNATIONAL CO., LTD. NO. 69, LI-DE ST., JUNG-HE CITY TAIPEI HSIEN TAIWAN, REPUBLIC OF CHINA 00-0C-76 (hex) MICRO-STAR INTERNATIONAL CO., LTD. 000C76 (base 16) MICRO-STAR INTERNATIONAL CO., LTD. No 69, Li-De Street, Jung-He City, Taipe Taipei TAIWAN, REPUBLIC OF CHINA -----Original Message----- From: Amit Ronen [mailto:amitro () spiderservices com] Sent: Wednesday, March 02, 2005 1:43 AM To: security-basics () securityfocus com Subject: RE: anyone who saw this arp traffic? Try checking if there is a VPN device that use Virtual IP's for external VPN users - similar to Checkpoint office mode.... -----Original Message----- From: Andrew Shore [mailto:andrew.shore () holistecs com] Sent: ב 28 פברואר 2005 18:09 To: dissolved; Monty Ree Cc: security-basics () securityfocus com Subject: RE: anyone who saw this arp traffic? I've seen similar situations when using Virtual server technologies; Often "internal" logical networks will throw martens onto the physical network. HTH Andy -----Original Message----- From: dissolved [mailto:dissolved () comcast net] Sent: 25 February 2005 00:40 To: 'Monty Ree' Cc: security-basics () securityfocus com Subject: RE: anyone who saw this arp traffic? Are any secondary interfaces or sub-interfaces defined on a gateway? -----Original Message----- From: Monty Ree [mailto:chulmin2 () hotmail com] Sent: Tuesday, February 22, 2005 8:41 PM To: security-basics () securityfocus com Subject: anyone who saw this arp traffic? Hello, all. When I capture network traffic at server farm,I can see lots of arp broadcast like below. But there is no server which use 172.16.x.x ip address. and curiously, 1. source ip and destination ip is same 2. more curiously, same traffic(source mac:0:10:dc:f1:f7:64 , source ip:172.16.97.157) is seen at my office. 3. I can also see this traffic(source mac:0:10:dc:f1:f7:64 , source ip:172.16.97.157 ) at other IDC. Have you ever seen this traffic? Thanks in advance. 10:15:26.759069 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has 172.16.97.157 (Broadcast) tell 172.16.97.157 10:15:26.803792 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103 (Broadcast) tell 172.16.100.103 10:15:26.955878 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103 (Broadcast) tell 172.16.100.103 10:15:26.967737 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has 172.16.97.157 (Broadcast) tell 172.16.97.157 _________________________________________________________________ 고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브 http://www.msn.co.kr/love/
Current thread:
- RE: anyone who saw this arp traffic? dissolved (Feb 28)
- <Possible follow-ups>
- Re: anyone who saw this arp traffic? Ankush Kapoor (Feb 28)
- RE: anyone who saw this arp traffic? Andrew Shore (Feb 28)
- RE: anyone who saw this arp traffic? Amit Ronen (Mar 02)
- RE: anyone who saw this arp traffic? Badger, Jared (Mar 03)
- Re: anyone who saw this arp traffic? Viktor Vesely (Mar 03)
- Re: anyone who saw this arp traffic? L. Walker (Mar 04)