Subject: Re: ARP
To: Rimantas Petrauskas <>
From: Ignatios Souvatzis <>
List: tech-net
Date: 03/31/2006 13:07:17
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 31, 2006 at 01:53:43PM +0300, Rimantas Petrauskas wrote:
> Hello,
> i've got a question to ask.
> Command "tcpdump -i wm0 -n arp" gives me the following output:
> .....
> 2006-03-31 07:52:08.858034 arp who-has tell 88.xx.xx.xx
> 2006-03-31 07:52:08.858604 arp who-has tell 88.xx.xx.xx

All the same xx..xx.xx, or different? Anyway - this looks like=20
backscatter from a misconfigured (or attacking) machine that contacts
the 88.xx.xx.xx using as the source address. Or maybe
crept in as the name server address of some machine?

E.g. a machine failing to get an address via bootp, but not noticing=20
the failure ;-)

go to one of the 88.xx.xx.xx, run tcpdump there, and add -e so that
you see the ethernet source address of the request that triggered the
response that requires the arp. Before you do that, check /etc/hosts
and similar stuff for an entry with


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.2.1 (NetBSD)