RE: anyone who saw this arp traffic?

From: Andrew Shore (andrew.shore_at_holistecs.com)
Date: 02/28/05

  • Next message: Eduardo Kienetz: "Re: implementing a secure link" 
    Date: Mon, 28 Feb 2005 16:09:06 -0000
To: "dissolved" <dissolved@comcast.net>, "Monty Ree" <chulmin2@hotmail.com>

    I've seen similar situations when using Virtual server technologies;

    Often "internal" logical networks will throw martens onto the physical network.

    HTH Andy

    -----Original Message-----
    From: dissolved [mailto:dissolved@comcast.net]
    Sent: 25 February 2005 00:40
    To: 'Monty Ree'
    Cc: security-basics@securityfocus.com
    Subject: RE: anyone who saw this arp traffic?


    Are any secondary interfaces or sub-interfaces defined on a gateway?
    -----Original Message-----
    From: Monty Ree [mailto:chulmin2@hotmail.com]
    Sent: Tuesday, February 22, 2005 8:41 PM
    To: security-basics@securityfocus.com
    Subject: anyone who saw this arp traffic?

    Hello, all.

    When I capture network traffic at server farm,I can see lots of arp
    broadcast like below.
    But there is no server which use 172.16.x.x ip address.
    and curiously,

    1. source ip and destination ip is same
    2. more curiously, same traffic(source mac:0:10:dc:f1:f7:64 , source
    ip:172.16.97.157) is seen at my office.
    3. I can also see this traffic(source mac:0:10:dc:f1:f7:64 , source
    ip:172.16.97.157 ) at other IDC.

    Have you ever seen this traffic?
     
    Thanks in advance.


    10:15:26.759069 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
    172.16.97.157 (Broadcast) tell 172.16.97.157
    10:15:26.803792 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
    (Broadcast) tell 172.16.100.103
    10:15:26.955878 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
    (Broadcast) tell 172.16.100.103
    10:15:26.967737 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
    172.16.97.157 (Broadcast) tell 172.16.97.157

    _________________________________________________________________
    고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
    http://www.msn.co.kr/love/



  • Next message: Eduardo Kienetz: "Re: implementing a secure link"

    Relevant Pages

    • Re: Problem with ListAvailableSQLServers in vb 6
      ... With EnumSQLSvr.exe, it doesn't work (when I remove the network cable, I ... With SQL Server 2000, a Win98 computer is in the list ... > can you please verify your local MSDE instance has network protocols enabled ... > relative instance will not be enlisted in the broadcast call for server ...
      (microsoft.public.sqlserver.msde)
    • Authentication problem?
      ... How can I check on this broadcast issue you're ... are your network configuration correct. ... >>logging into a W2k server with Active Directory. ... >>from a domain login to a home login and back to a domain ...
      (microsoft.public.win2000.security)
    • Re: (Software) timeserver for windows being broadcast-able incl. keys
      ... clients on different network segments by one server ... is with using broadcast with this network design, ... Put a server on each of the 4 subnets. ...
      (comp.protocols.time.ntp)
    • Re: Network path not found?
      ... if I click on the XP machine's name in My Network ... >The 2000 machine is a Broadcast node and the XP machine is a Hybrid ... >Hybrid node reverts to broadcasts if a WINS server is not found). ...
      (microsoft.public.win2000.networking)
    • Re: [SLE] What is this bootps message?
      ... >>which will issue it with its network configuration and also a boot ... it is a reply from bootp/dhcp server to a bootp/dhcp client. ... As for the reasons why the bootp/dhcp server broadcast its reply there ... I am not 100% sure of the cable modem technology (although I used ...
      (SuSE)