Re: anyone who saw this arp traffic?

• Previous message: Ankush Kapoor: "Re: Comparing linux distros."
• In reply to: Monty Ree: "anyone who saw this arp traffic?"
• Next in thread: Andrew Shore: "RE: anyone who saw this arp traffic?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 27 Feb 2005 06:27:03 +0530
To: Monty Ree <chulmin2@hotmail.com>

Have seen similar ARP broadcasts when windows machines on our network
got hit by worms.
Which worms i dont quite remember. Perhaps blaster.

regards

Ankush Kapoor

On Wed, 23 Feb 2005 01:40:43 +0000, Monty Ree <chulmin2@hotmail.com> wrote:
> Hello, all.
>
> When I capture network traffic at server farm,I can see lots of arp
> broadcast like below.
> But there is no server which use 172.16.x.x ip address.
> and curiously,
>
> 1. source ip and destination ip is same
> 2. more curiously, same traffic(source mac:0:10:dc:f1:f7:64 , source
> ip:172.16.97.157) is seen at my office.
> 3. I can also see this traffic(source mac:0:10:dc:f1:f7:64 , source
> ip:172.16.97.157 ) at other IDC.
>
> Have you ever seen this traffic?
>
> Thanks in advance.
>
> 10:15:26.759069 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
> 172.16.97.157 (Broadcast) tell 172.16.97.157
> 10:15:26.803792 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
> (Broadcast) tell 172.16.100.103
> 10:15:26.955878 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
> (Broadcast) tell 172.16.100.103
> 10:15:26.967737 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
> 172.16.97.157 (Broadcast) tell 172.16.97.157
>
> _________________________________________________________________
> 고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
> http://www.msn.co.kr/love/
>
>

• Previous message: Ankush Kapoor: "Re: Comparing linux distros."
• In reply to: Monty Ree: "anyone who saw this arp traffic?"
• Next in thread: Andrew Shore: "RE: anyone who saw this arp traffic?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]