Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: A bit strange ARP queries

From: "Jeroen van Meeuwen" <kanarip () pczone-clan nl>
Date: Sun, 18 Dec 2005 02:07:59 +0100
 RFC says that the target MAC in the who-has requests has no meaning but
they can be present in the who-has requests. And there was no such packets
in that net -- they appeared recently. So if the terget MAC is normally
ignored, such packets can be used for ARP spoofing (of any kind) only if
we have some strange ARP stacks that are caching the target MAC's from the
ARP requests.


Have you investigated the requestor? Is it the same host over and over
again?

Kind regards,

Jeroen van Meeuwen

--
kanarip
Previous By Date Next
Previous By Thread Next

Current thread: