Re: arpwatch
From: John T. Hollyoak (john_at_mail.isc.rit.edu)
Date: 09/11/03
- Previous message: Roger A. Grimes: "RE: Need help from a group of experts. I am not a network expert but I play one on tv."
- In reply to: Tomas Wolf: "Re: arpwatch"
- Next in thread: ted koenig: "RE: arpwatch"
- Reply: ted koenig: "RE: arpwatch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Sep 2003 15:04:35 -0400 To: security-basics@securityfocus.com
Tomas / Zidan,
I just wanted to respond and add some information and ask a few
questions....
a) What switches (that you are aware of) leak? Do you have any other
information about this? links?
b) port mirroring or a monitor port, is the way to go. Check out the
monitor command on the cisco switches, for an example of how to do this.
Basically maps a range of ports, to a single port, for the purposes of
monitoring (i've actually used it for an IDS before).
c) Using a tool within the Dsniff package, called "macof" ... this can be
accomplished, simply by blasting the CAM table (Content Addressable Memory)
with alot of addresses. The device will either fail open, or fail closed...
meaning the basically turn into one big collision domain (hub).
arpwatch is partially useful, if you have a small network. Anything that
has a constant amount of ARP requests/replies .... will just create alot of
junk.
What are you trying to accomplish by using ARPwatch? Perhaps there is a
better tool available .....
John Hollyoak
----- Original Message -----
From: "Tomas Wolf" <tomas@skip.cz>
To: "zidan" <zidan00@fastmail.fm>
Cc: <security-basics@securityfocus.com>
Sent: Thursday, September 11, 2003 7:33 AM
Subject: Re: arpwatch
> my 2c --
> a) some switches horribly leak :-)
> b) port mirroring would be the best bet (managable switches necessary)
> c) some under heavy load work like hubs (flood it)
>
> good luck - T.
>
> zidan wrote:
>
> >hello,
> >
> >I have recently installed arpwatch on one of our servers. I understood
> >arpwatch "learns" arp replies, but since arp replies are destined to a
> >specific MAC and
> >this is a switched network, how can arpwatch see all arp replies ?
> >
> >
> >-Z
> >
> >
>
>
>
> --------------------------------------------------------------------------
-
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> --------------------------------------------------------------------------
-- > --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
- Previous message: Roger A. Grimes: "RE: Need help from a group of experts. I am not a network expert but I play one on tv."
- In reply to: Tomas Wolf: "Re: arpwatch"
- Next in thread: ted koenig: "RE: arpwatch"
- Reply: ted koenig: "RE: arpwatch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
