Subject: help w/ tcpdump/arp
To: None <firstname.lastname@example.org>
From: Brian Grayson <email@example.com>
Date: 09/05/1998 17:17:41
A little while ago, I had reason to believe one of the machines on
our subnet had been broken into -- the subnet was flooded with
messages from a numerical IP not on our net, to a named host not on
our net. And the numerical IP would change every 20 packets or so.
Is there a flag to tcpdump that says, print out the ethernet address
of the sending machine, so that I could tell which of the 200 or so
machines on the subnet was responsible? Is there any good
method/program for translating Ethernet addresses to IPs? arp looks
like it'll only do the reverse, and arp -a will only show current cached
ARP entries, not all entries for the whole subnet.
Fortunately, the flooding stopped, but it could start up again any