Security Basics mailing list archives
RE: arpwatch
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 15 Sep 2003 11:43:14 -0700
Suppose it's not monitoring the replies, but the *requests*. These are always broadcasts, and any machine attached out there should send at least one before it sends any other traffic(*). (*) - Except, of course, for DHCP requests, which can happen before it *has* an IP address, and therefore aren't useful for arpwatch's stated purpose. David Gillett
-----Original Message----- From: zidan [mailto:zidan00 () fastmail fm] Sent: September 14, 2003 02:06 To: Tony Kava Cc: security-basics () securityfocus com Subject: RE: arpwatch Tony, I tried requesting unknown IP addresses and arpwatch didn't detect it. arpwatch only detects the replies. the thing is, I have no monitoring port or special vlans, and when I try sniffing network traffic in TCP/UDP level, I get nothing. so I assume there is no leak. I don't think arpwatch is using arp posinoning to detect those stations... I still can't figure out how it works. -Z -- zidan zidan00 () fastmail fm -- http://www.fastmail.fm - I mean, what is it about a decent email service? -------------------------------------------------------------- ------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Re: Logical access controle to network segments and boxes, (continued)
- Re: Logical access controle to network segments and boxes Tim Syratt (Sep 11)
- Re: arpwatch Mikkel Christensen (Sep 11)
- RE: Arpwatch J. Oquendo (Sep 11)
- RE: Arpwatch zidan (Sep 11)
- Re: arpwatch zidan (Sep 11)
- RE: arpwatch Tony Kava (Sep 11)
- RE: arpwatch Tony Kava (Sep 11)
- RE: arpwatch Kim Oppalfens (Sep 12)
- Re: arpwatch B. McAninch (Sep 15)
- RE: arpwatch zidan (Sep 15)
- RE: arpwatch David Gillett (Sep 15)