Security Incidents mailing list archives
Re: A bit strange ARP queries
From: "Samuel R. Baskinger" <sbaskinger () lumeta com>
Date: Wed, 21 Dec 2005 09:04:51 -0500
Eygene A. Ryabinkin wrote: > Good day! > > Has anyone seen such ARP packets? I am a bit curious, because we > have no strange hardware that will set the target hardware address > in the who-has ARP packet. Are there any attacks that using such > packets? ----- 15:29:59.908901 arp who-has the-host-in-question > (4:c0:40:1:e0:df) tell the-requester > 15:30:00.911228 arp who-has the-host-in-question (57:43:50:10:40:0) > tell the-requester > 15:30:01.912045 arp who-has
<snip>
> ----- 'the-host-in-question' and 'the-requester' are, of course, IP > addresses.
I've seen a few network tools use this method as a sort of Level-2 ping. If you find the cuperit I'd be interested in what software its running.
Sam
Current thread:
- A bit strange ARP queries Eygene A. Ryabinkin (Dec 15)
- Re: A bit strange ARP queries incidents (Dec 17)
- RE: A bit strange ARP queries Jason Burton (Dec 17)
- Re: A bit strange ARP queries wayne dawson (Dec 17)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- RE: A bit strange ARP queries Craig Skelton (Dec 17)
- RE: A bit strange ARP queries Jeroen van Meeuwen (Dec 17)
- Re: A bit strange ARP queries Samuel R. Baskinger (Dec 21)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- Re: A bit strange ARP queries Tillmann Werner (Dec 17)
- Re: A bit strange ARP queries Jeff Kell (Dec 17)
- <Possible follow-ups>
- RE: A bit strange ARP queries Paul Farrington (Dec 17)
- RE: A bit strange ARP queries Dave Hawkins (Dec 19)
- RE: A bit strange ARP queries Koike, Rafael Marcelino (Dec 22)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 22)