ARP queries with target hardware address set
From: Mojahedul Hoque Abul Hasanat (mojahed@agni.com)
Date: 04/27/02
- Next message: Alessandro de Manzano: "Re: patching holes Hmmmm"
- Previous message: alert@notification.messagelabs.com: "WARNING. You tried to send a potential virus or unauthorised code"
- Next in thread: Crist J. Clark: "Re: ARP queries with target hardware address set"
- Reply: Crist J. Clark: "Re: ARP queries with target hardware address set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Apr 2002 18:04:06 +0600 From: Mojahedul Hoque Abul Hasanat <mojahed@agni.com> To: freebsd-security@FreeBSD.ORG
Please excuse me if this is a naive question.
When running tcpdump I see that some of the arp queries have their
target hardware addresses set to random MACs. AFAIK an arp query
should have its target hardware address set to all zeros. Here is
an example from the output of "tcpdump -e ...":
0:e0:7d:a1:8:75 Broadcast arp 60: arp who-has 202.168.255.85 (68:74:2e:4d:20:74) tell a.host.ip.address
The MAC inside the parenthesis was never in my LAN. Almost all the
boxes in the LAN are 4.5-STABLE. The box making these queries runs
bind 8.3.1-REL. Suspiciously, this box also makes a lot of arp
queries for IPs not in its LAN.
Any ideas on the source of these arps?
-- Mojahed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Alessandro de Manzano: "Re: patching holes Hmmmm"
- Previous message: alert@notification.messagelabs.com: "WARNING. You tried to send a potential virus or unauthorised code"
- Next in thread: Crist J. Clark: "Re: ARP queries with target hardware address set"
- Reply: Crist J. Clark: "Re: ARP queries with target hardware address set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
