Snort mailing list archives
RE: ARP mangling:
From: Terry Rankin <trankin () iqcenter com>
Date: Tue, 22 May 2001 15:06:59 -0400
I used another NetMon in tandem with Snort and there are no actual ARP's for the 212.250.18 net address. It appears that some software component/function is rewriting the 'sender protocol address' and 'target protocol address' fields of the ARP_RARP broadcast frame so that false IP data is written to the log. Therefore, legitimate ARP's are being incorrectly interpreted and/or appended to the Snort log file. The layer 3 info for ARP replies is similarly mutated although the layer 2 info is legitimate. I have tested this on several independent networks and the results are identical. The problem is either a software issue ('libpcap' or 'snort') or related to how the 'libpcap' s/w interacts with my NIC (AMD PCNET PCI 100bTX). Note: this only happens for ARP traffic. terry -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Tuesday, May 22, 2001 2:46 PM To: Terry Rankin Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ARP mangling: On Tue, May 22, 2001 at 01:35:59PM -0400, Terry Rankin wrote:
Hello, I've been using Snort v1.7 on NT4 successfully for a few weeks on several networks with only one problem - all layer 3 info in ARP requests/replies appears to be getting mangled between reception and logging. The symptoms are as follows: 1. the target IP of the ARP request is always 212.250.18.0. 2. the sending IP of the ARP request varies, but about 75% claim to be
from
116.0.217.0. To date, the last two octets are always 217.0. 3. no 'actual' ARP request layer 3 info is ever recorded to the log file
-
just the butchered info. 4. the ARP replies contain genuine layer 2 addresses.
What is you network configuration. ARP only applies to layer 2 (same link layer). So, the stuff below, indicates you have a bunch of weird machines on the same link as you all wanting to know about network 212.250.18. What are the machines with the layer 2 addresses? Can you get a tcpdump of this stuff?
Example: ARP who-has 212.250.18.0 tell 116.0.217.0. ARP who-has 212.250.18.0 tell 196.0.217.0 ARP who-has 212.250.18.0 tell 124.3.217.0 05/21-12:15:05.144373 ARP reply 212.250.18.0 is-at 0:10:5A:XX:YY:ZZ. I've searched the obvious places for answers without any joy. I would be extremely grateful for further information. Cheers, terry _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ARP mangling: Terry Rankin (May 22)
- Re: ARP mangling: Phil Wood (May 22)
- <Possible follow-ups>
- RE: ARP mangling: Terry Rankin (May 22)