Re: ARP queries with target hardware address set

From: Crist J. Clark (cjc@FreeBSD.ORG)
Date: 04/28/02 

Date: Sat, 27 Apr 2002 16:57:08 -0700
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Mojahedul Hoque Abul Hasanat <mojahed@agni.com>

On Sat, Apr 27, 2002 at 06:04:06PM +0600, Mojahedul Hoque Abul Hasanat wrote:
>
> Please excuse me if this is a naive question.
>
> When running tcpdump I see that some of the arp queries have their
> target hardware addresses set to random MACs. AFAIK an arp query
> should have its target hardware address set to all zeros.

Can you quote some standard or RFC that states this? AFA_I_K, the
target hardware address field is undefined. It can just as well be
random junk as all zeros. RFC 826 just says,

  The target hardware address is included for completeness and
  network monitoring. It has no meaning in the request form, since
  it is this number that the machine is requesting.

  Here is
> an example from the output of "tcpdump -e ...":
>
> 0:e0:7d:a1:8:75 Broadcast arp 60: arp who-has 202.168.255.85 (68:74:2e:4d:20:74) tell a.host.ip.address
>
> The MAC inside the parenthesis was never in my LAN. Almost all the
> boxes in the LAN are 4.5-STABLE. The box making these queries runs
> bind 8.3.1-REL. Suspiciously, this box also makes a lot of arp
> queries for IPs not in its LAN.
>
> Any ideas on the source of these arps?

Why does 'a.host.ip.address' think 202.168.255.85 is a local address
if it isn't? 

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Quantcast