Security Basics mailing list archives

RE: arpwatch

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 15 Sep 2003 11:43:14 -0700

  Suppose it's not monitoring the replies, but the *requests*.  These
are always broadcasts, and any machine attached out there should send
at least one before it sends any other traffic(*).

(*) - Except, of course, for DHCP requests, which can happen before 
it *has* an IP address, and therefore aren't useful for arpwatch's
stated purpose.

David Gillett

-----Original Message-----
From: zidan [mailto:zidan00 () fastmail fm]
Sent: September 14, 2003 02:06
To: Tony Kava
Cc: security-basics () securityfocus com
Subject: RE: arpwatch

Tony,

I tried requesting unknown IP addresses and arpwatch didn't detect it.
arpwatch only detects the replies.

the thing is, I have no monitoring port or special vlans, and 
when I try
sniffing network traffic in TCP/UDP
level, I get nothing. so I assume there is no leak.

I don't think arpwatch is using arp posinoning to detect those
stations... I still can't figure out how it works.

-Z
-- 
  zidan
  zidan00 () fastmail fm

-- 
http://www.fastmail.fm - I mean, what is it about a decent 
email service?

--------------------------------------------------------------
-------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Re: Logical access controle to network segments and boxes, (continued)
- - - Re: Logical access controle to network segments and boxes Tim Syratt (Sep 11)
- Re: arpwatch Mikkel Christensen (Sep 11)
- RE: Arpwatch J. Oquendo (Sep 11)
- RE: Arpwatch zidan (Sep 11)
- Re: arpwatch zidan (Sep 11)
- RE: arpwatch Tony Kava (Sep 11)
- RE: arpwatch Tony Kava (Sep 11)
- RE: arpwatch Kim Oppalfens (Sep 12)
  - Re: arpwatch B. McAninch (Sep 15)
- RE: arpwatch zidan (Sep 15)
  - RE: arpwatch David Gillett (Sep 15)