RE: arpwatch

[Tony Kava <securityfocus () pottcounty com>]

I believe the idea is to record the MAC and IP addresses of the requesting
host, not the host for whom an ARP request has been made.  Since the request
is broadcasted it will work on a switched network.

--
Tony Kava
Network Administrator
Pottawattamie County, Iowa



-----Original Message-----
From: zidan [mailto:zidan00 () fastmail fm]
Sent: Thursday, 11 September, 2003 13:29
To: Gunter.Luyten () student kuleuven ac be
Cc: security-basics () securityfocus com
Subject: Re: arpwatch


I don't agree, arp requests are broadcasts. but response is not
broadcast, its unicast.
the answering source to the asking destination.

what I don't understand, is how can the arpwatch station can see this
packet if this is a switched network

-Z
-- 
  zidan
  zidan00 () fastmail fm

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------