On Wed, Dec 11, 2002 at 07:15:47AM -0600, Richard Rauch wrote:
> I occasionally see my DSL lights flicker briefly when there should be no
> network traffic.  Here is tcpdump output from one such episode:
> 
> 06:24:58.854518 arp who-has adsl-66-136-7-253.dsl.hstntx.swbell.net tell adsl-66-136-7-253.dsl.hstntx.swbell.net
> 
> This is puzzling.  66.136.7.253 is supposed to be an IP number assigned to
> me (though I don't use it yet).  Is who-has for route discovery?  Why

It's to get the mac address associated to the IP. It can be seen as
some kind of route discovery.

> should my subnet be asked by someone *outside* of my subnet (I assume) to
> tell a machine *inside* my subnet who has it?  Or is this a request being
> generated by NetBSD itself for some reason?  (OBVIOUSLY, I don't
> understand ARP; a complete ARP tutorial probably isn't necessary, but
> don't assume that I'm familiar with anything about ARP if trying to
> usefully reply.  *grin*)

I suspect you have just a block of IP, and your provider doesn't route them:
it assumes they're all connected to your DSL modem (without routers between
the IP and the modem). So it tries to get a MAC address to reach this IP.

> 
> 
> It may or may not be related, but I received the following at almost the
> same time:
> 
> 06:24:48.393568 cvg-65-27-249-157.cinci.rr.com.1026 > adsl-66-136-7-250.dsl.hstntx.swbell.net.netbios-ns: udp 50

It can be related. Looks like someone is scanning the block for a netbios
vulnerability, in which case the same request was tried against your
unused IP, which triggered the ARP querry 

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 23 ans d'experience feront toujours la difference
--