Re: ARP queries with target hardware address set

From: Mojahedul Hoque Abul Hasanat (mojahed@agni.com)
Date: 04/28/02 

Date: Sun, 28 Apr 2002 09:59:16 +0600
From: Mojahedul Hoque Abul Hasanat <mojahed@agni.com>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>

On Sat, Apr 27, 2002 at 04:57:08PM -0700, Crist J. Clark wrote:
> > should have its target hardware address set to all zeros.
>
> Can you quote some standard or RFC that states this? AFA_I_K, the
> target hardware address field is undefined. It can just as well be
> random junk as all zeros. RFC 826 just says,

Oops! my fault. I shouldn't have said "should have its target HA
set to all zeros". But this is the general case, isn't it? All the
arp queries I can see in this LAN have their THA set to zeros,
except some queries from this host.

> > 0:e0:7d:a1:8:75 Broadcast arp 60: arp who-has 202.168.255.85 (68:74:2e:4d:20:74) tell a.host.ip.address
> >
> > The MAC inside the parenthesis was never in my LAN. Almost all the
>
> Why does 'a.host.ip.address' think 202.168.255.85 is a local address
> if it isn't?

There is absolutely no reason for this. Routing tables are correct,
no dynamic routing protocols either.

Now I am more inclined to think that someone is injecting these
Ethernet frames. But to what effect, I haven't got a clue. 

-- 
Mojahed
System Administrator, Agni Systems Limited
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message