Security Incidents mailing list archives
Re: Arp Warnings on @Home Network
From: Gordon Messmer <yinyang () EBURG COM>
Date: Wed, 7 Feb 2001 12:00:13 -0800
On Tue, 6 Feb 2001, Mike Forrester wrote:
ethereal decoding of one of those packets. To me it appears that someone is either trying to be the default router on their network or mis-configured their new Mac.
Sounds like a good explanation.
08:00:07 a vendor id for Apple Computer and 00:01:63 is a vendor id for Cisco. Is there a way to determine who is the correct host?
I'd say it's probably the Cisco :) As someone else suggested, you can probably hardcode the proper arp entry into your table using the 'arp' command. I understand that Linux 2.4 recently introduced packet filtering based on the MAC address of packets. Can OpenBSD do the same?
packet which drops the connection. I'm still in the process of trying to get a tcpdump when this happens while downloading a file, but getting the timing right has been difficult. Since I am on what is essentially an unswitched cable network, my logs fill up quickly with all my neighbors downstream traffic.
Then use libpcap logic to filter what you're dumping. Something like: tcpdump host <your_ip> or: tcpdump host <your_ip> or ether host 08:00:07:c4:28:53
1) Is it standard practice for certain systems to use an IP already in use?
AFAIK, no. The Windows and Apple platforms with which I'm familiar will refuse to initialize an interface if they detect another machine using "their" IP. I've only seen UNIX systems do that without complaining. Perhaps this is an OS X box?
2) Is there a tool that could be used at the Ethernet level (layer 2) to try and get more information from a system if you know it's MAC address?
Well, both tcpdump and Ethereal are libpcap based, so you can filter traffic based on the MAC address in the packets. Read the man page for tcpdump and look for "ether" logic. Using ngrep or ethereal, perhaps you can view the content of the user's traffic and determine some personal information. -- If I had a dollar for every brain that you don't have, I'd have one dollar. - Squidward to SpongeBob
Current thread:
- Arp Warnings on @Home Network Mike Forrester (Feb 06)
- Re: Arp Warnings on @Home Network Ryan Russell (Feb 07)
- Re: Arp Warnings on @Home Network Dragos Ruiu (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Gordon Messmer (Feb 07)
- <Possible follow-ups>
- Re: Arp Warnings on @Home Network Forrester, Mike (Feb 07)
- Re: Arp Warnings on @Home Network Mathias Wegner (Feb 07)
- Re: Arp Warnings on @Home Network Forrester, Mike (Feb 09)