RE: anyone who saw this arp traffic?
From: Badger, Jared (Jared.Badger_at_acs-inc.com)
Date: 03/03/05
- Previous message: Kelly Martin: "SF new column announcement: Where is Google Headed? (fixed typo)"
- Maybe in reply to: Amit Ronen: "RE: anyone who saw this arp traffic?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Amit Ronen <amitro@spiderservices.com> Date: Wed, 2 Mar 2005 17:33:02 -0700
Amit,
This is called a "gratuitous ARP". Stations will often do this to check if
an address is in use before accepting a DHCP lease. Use your protocol
analyzer to see if this ARP behavior coincides with DHCP. Not sure why
you're seeing it on multiple links or why stuff from 172.16.x.x is showing
up on a network where it doesn't belong...
-Jared Badger
PS. Here is the info for that MAC address.
00-10-DC (hex) MICRO-STAR INTERNATIONAL CO., LTD.
0010DC (base 16) MICRO-STAR INTERNATIONAL CO., LTD.
NO. 69, LI-DE ST., JUNG-HE CITY
TAIPEI HSIEN
TAIWAN, REPUBLIC OF CHINA
00-0C-76 (hex) MICRO-STAR INTERNATIONAL CO., LTD.
000C76 (base 16) MICRO-STAR INTERNATIONAL CO., LTD.
No 69, Li-De Street, Jung-He City, Taipe
Taipei
TAIWAN, REPUBLIC OF CHINA
-----Original Message-----
From: Amit Ronen [mailto:amitro@spiderservices.com]
Sent: Wednesday, March 02, 2005 1:43 AM
To: security-basics@securityfocus.com
Subject: RE: anyone who saw this arp traffic?
Try checking if there is a VPN device that use Virtual IP's for external VPN
users - similar to Checkpoint office mode....
-----Original Message-----
From: Andrew Shore [mailto:andrew.shore@holistecs.com]
Sent: ב 28 פברואר 2005 18:09
To: dissolved; Monty Ree
Cc: security-basics@securityfocus.com
Subject: RE: anyone who saw this arp traffic?
I've seen similar situations when using Virtual server technologies;
Often "internal" logical networks will throw martens onto the physical
network.
HTH Andy
-----Original Message-----
From: dissolved [mailto:dissolved@comcast.net]
Sent: 25 February 2005 00:40
To: 'Monty Ree'
Cc: security-basics@securityfocus.com
Subject: RE: anyone who saw this arp traffic?
Are any secondary interfaces or sub-interfaces defined on a gateway?
-----Original Message-----
From: Monty Ree [mailto:chulmin2@hotmail.com]
Sent: Tuesday, February 22, 2005 8:41 PM
To: security-basics@securityfocus.com
Subject: anyone who saw this arp traffic?
Hello, all.
When I capture network traffic at server farm,I can see lots of arp
broadcast like below.
But there is no server which use 172.16.x.x ip address.
and curiously,
1. source ip and destination ip is same
2. more curiously, same traffic(source mac:0:10:dc:f1:f7:64 , source
ip:172.16.97.157) is seen at my office.
3. I can also see this traffic(source mac:0:10:dc:f1:f7:64 , source
ip:172.16.97.157 ) at other IDC.
Have you ever seen this traffic?
Thanks in advance.
10:15:26.759069 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
172.16.97.157 (Broadcast) tell 172.16.97.157
10:15:26.803792 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
(Broadcast) tell 172.16.100.103
10:15:26.955878 0:c:76:4e:4:c8 Broadcast arp 60: arp who-has 172.16.100.103
(Broadcast) tell 172.16.100.103
10:15:26.967737 0:10:dc:f1:f7:64 Broadcast arp 60: arp who-has
172.16.97.157 (Broadcast) tell 172.16.97.157
_________________________________________________________________
고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
http://www.msn.co.kr/love/
- Previous message: Kelly Martin: "SF new column announcement: Where is Google Headed? (fixed typo)"
- Maybe in reply to: Amit Ronen: "RE: anyone who saw this arp traffic?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
