> > I occasionally see my DSL lights flicker briefly when there should be no
> > network traffic.  Here is tcpdump output from one such episode:
> >
> > 06:24:58.854518 arp who-has adsl-66-136-7-253.dsl.hstntx.swbell.net tell adsl-66-136-7-253.dsl.hstntx.swbell.net
> >
> > This is puzzling.  66.136.7.253 is supposed to be an IP number assigned to
> > me (though I don't use it yet).  Is who-has for route discovery?  Why
>
> It's to get the mac address associated to the IP. It can be seen as
> some kind of route discovery.

That's kind of what I figured.  But then, why tell ...253 to tell itself?
If some other machine in the subnet (say my ISP's gateway at ...254) wants
to know about that IP number, shouldn't it ask to get the reply directly
back ("tell ...254", rather than "tell ...253")?

Or does this query (if answered) have to be answered in the same medium
where it was asked, so everything able to snoop the link (say, my ISP's
gateway) can wait for the reply and pick it out?


> > It may or may not be related, but I received the following at almost the
> > same time:
> >
> > 06:24:48.393568 cvg-65-27-249-157.cinci.rr.com.1026 > adsl-66-136-7-250.dsl.hstntx.swbell.net.netbios-ns: udp 50
>
> It can be related. Looks like someone is scanning the block for a netbios
> vulnerability, in which case the same request was tried against your
> unused IP, which triggered the ARP querry

Ah, yes, of course.  That makes perfect sense.

Thanks.  (^&


  ``I probably don't know what I'm talking about.'' --rauch@math.rice.edu