Security Basics mailing list archives
RE: ARP Spoof Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 24 Jul 2003 09:38:49 -0700
A switch should *always* be learning. A destination MAC address should always fall into one of two categories: 1. I have it in my switch table (NOT *ARP*, per se), because I saw traffic from it on interface X within the last N time-units. 2. It's not in my tables -- send this packet to every port and assume we'll see a packet from it soon so it will get added to my switch table. Switch table entries could get created when ARP response packets are seen -- or ARP requests, or DHCP broadcasts, or .... David Gillett
-----Original Message----- From: Stuart [mailto:secmail () patchsupplier dyndns org] Sent: July 23, 2003 16:13 To: security-basics () securityfocus com Subject: RE: ARP Spoof Question If we use a Cisco switch for example, don't they have a learning period? I would presume that the switch would go through the process of building its ARP tables again. Stu -----Original Message----- From: Simon Gray [mailto:simong () desktop-guardian com] Sent: 23 July 2003 17:10 To: vineet () linux com kw; security-basics () securityfocus com Subject: Re: ARP Spoof QuestionQ1.My Question is, Node C will also reply to that request ofNode A. SOnow Node A has 2 different MAC for the same IP. How is NodeA handlingthis situation??? Q2.The switch also updates its table of IP/MAC addressbindings, so howis switch handling this situation??? Is it "first-come-first-serve" methodology which NodeA/Switch takes??? I don't know how correct this is, but I would of thought the Node A/Switch would update whatever stored record of IP/MAC it has with the new details. Simon -------------------------------------------------------------- ---------- --- -------------------------------------------------------------- ---------- ---- -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: ARP Spoof Question David J. Bianco (Jul 23)
- <Possible follow-ups>
- RE: ARP Spoof Question David Gillett (Jul 23)
- Re: ARP Spoof Question Simon Gray (Jul 23)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question The Fueley (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- Re: ARP Spoof Question Martin Brecher (Jul 28)