Snort mailing list archives
Re: ARP WHo has?
From: John Sage <jsage () finchhaven com>
Date: Sun, 16 Sep 2001 09:24:21 -0700
ARP = Address Resolution ProtocolIn order for a TCP/IP network to work, it also needs to know what hardware address packets should be sent to (i.e. the hardware address of the NIC in your computer..)
So this is one box broadcasting a request for the hardware address ("who-has [the hardware address for] 0.0.0.0") and saying that the answer should be sent to it ("tell 0.0.0.0")
The response would be "arp reply 192.168.1.1 is at 0:a5:32:ae:40:21" or somesuch..
Are you actually seeing "0.0.0.0"? It should be an actual IP address, methinks...Sounds like you're running snort with the -e command line switch ("Display/log the link layer packet headers")
You may want to turn that off; it get kinda boring after you've seen a few thousand of the same thing.
- John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." Jason Withrow wrote:
Sorry about the flood I am creating here, one last question.
What the heck is this ARP file that SNORT Keeps creating, it is filled
with stuff like this:
09/16-03:57:48.234413 ARP who-has 0.0.0.0 tell 0.0.0.0
09/16-03:57:48.400994 ARP who-has 0.0.0.0 tell 0.0.0.0
What is this stuff?
Thanks,
- J
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ARP WHo has? Jason Withrow (Sep 16)
- Re: ARP WHo has? John Sage (Sep 16)