Subject: Re: ARP
To: Rimantas Petrauskas <firstname.lastname@example.org>
From: Ignatios Souvatzis <email@example.com>
Date: 03/31/2006 13:07:17
Content-Type: text/plain; charset=us-ascii
On Fri, Mar 31, 2006 at 01:53:43PM +0300, Rimantas Petrauskas wrote:
> i've got a question to ask.
> Command "tcpdump -i wm0 -n arp" gives me the following output:
> 2006-03-31 07:52:08.858034 arp who-has 0.0.0.0 tell 88.xx.xx.xx
> 2006-03-31 07:52:08.858604 arp who-has 0.0.0.0 tell 88.xx.xx.xx
All the same xx..xx.xx, or different? Anyway - this looks like=20
backscatter from a misconfigured (or attacking) machine that contacts
the 88.xx.xx.xx using 0.0.0.0 as the source address. Or maybe 0.0.0.0
crept in as the name server address of some machine?
E.g. a machine failing to get an address via bootp, but not noticing=20
the failure ;-)
go to one of the 88.xx.xx.xx, run tcpdump there, and add -e so that
you see the ethernet source address of the request that triggered the
response that requires the arp. Before you do that, check /etc/hosts
and similar stuff for an entry with 0.0.0.0.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v220.127.116.11 (NetBSD)
-----END PGP SIGNATURE-----