Arp Warnings on @Home Network

[Mike Forrester <mikef () POCKETLINT COM>]

Greetings,
I started getting arp warnings the console to my OpenBSD system at home (no
pun intended :-) ).  Below are excerpts from /var/log/messages and the
ethereal decoding of one of those packets.  To me it appears that someone is
either trying to be the default router on their network or mis-configured
their new Mac.  08:00:07 a vendor id for Apple Computer and 00:01:63 is a
vendor id for Cisco.  Is there a way to determine who is the correct host?
Either MAC could be spoofed and the packet logs from tcpdump (on the OpenBSD
system) or from Ethereal (on my Windows 98 system), don't really give any
detailed info.

My guess is that someone just bought a new Mac and connected it to their
cable modem.  They don't know what they are doing and put the wrong ip
address in the wrong field.  If I am downloading a file when this happens,
the connection gets reset.  I believe that this is due to my reply packets
getting temporarily re-routed to the bogus gateway.  Since their system
doesn't have a connection open on that port, their system sends a reset
packet which drops the connection.  I'm still in the process of trying to
get a tcpdump when this happens while downloading a file, but getting the
timing right has been difficult.  Since I am on what is essentially an
unswitched cable network, my logs fill up quickly with all my neighbors
downstream traffic.

I have contacted @Home and their generic support people have been getting a
lot of calls about failed downloads.  I talked to someone in their NOC and
they are looking into the problem.

I'm just curious as to others thoughts on this as I have not played around
too much with arp.  I do however, have a few questions:

1) Is it standard practice for certain systems to use an IP already in use?
2) Is there a tool that could be used at the Ethernet level (layer 2) to try
and get more information from a system if you know it's MAC address?

Mike

> From /var/log/messages:

Feb  6 20:27:09 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:27:09 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:36:32 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:36:32 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:37:06 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:37:10 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:37:57 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:37:57 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:37:59 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:37:59 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:38:12 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:38:12 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:38:17 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:38:17 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:38:38 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:38:38 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:38:38 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:38:39 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:38:40 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:38:40 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:38:57 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:38:57 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:39:09 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:39:09 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:39:36 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:39:36 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:40:00 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:40:02 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 20:40:19 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 20:40:19 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 21:00:22 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 21:00:22 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0
Feb  6 21:11:06 ironman /bsd: arp info overwritten for 24.1.8.1 by
08:00:07:c4:28:53 on fxp0
Feb  6 21:11:06 ironman /bsd: arp info overwritten for 24.1.8.1 by
00:01:63:f1:d8:80 on fxp0

Ethereal decoded packet:
Frame 14 (60 on wire, 60 captured)
    Arrival Time: Feb  6, 2001 13:10:34.4509 <-- ingnore :)
    Time delta from previous packet: 0.007676 seconds
    Time relative to first packet: 0.349069 seconds
    Frame Number: 14
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II
    Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
    Source: 08:00:07:c4:28:53 (08:00:07:c4:28:53)
    Type: ARP (0x0806)
    Trailer: 00000000000000000000000000000000...
Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender hardware address: 08:00:07:c4:28:53
    Sender protocol address: 24.1.8.1
    Target hardware address: ff:ff:ff:ff:ff:ff
    Target protocol address: 24.1.14.32