--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 31, 2006 at 01:53:43PM +0300, Rimantas Petrauskas wrote:
> Hello,
>=20
> i've got a question to ask.
>=20
> Command "tcpdump -i wm0 -n arp" gives me the following output:
> .....
> 2006-03-31 07:52:08.858034 arp who-has 0.0.0.0 tell 88.xx.xx.xx
> 2006-03-31 07:52:08.858604 arp who-has 0.0.0.0 tell 88.xx.xx.xx

All the same xx..xx.xx, or different? Anyway - this looks like=20
backscatter from a misconfigured (or attacking) machine that contacts
the 88.xx.xx.xx using 0.0.0.0 as the source address. Or maybe 0.0.0.0
crept in as the name server address of some machine?

E.g. a machine failing to get an address via bootp, but not noticing=20
the failure ;-)

go to one of the 88.xx.xx.xx, run tcpdump there, and add -e so that
you see the ethernet source address of the request that triggered the
response that requires the arp. Before you do that, check /etc/hosts
and similar stuff for an entry with 0.0.0.0.

Regards,
	-is

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (NetBSD)

iD8DBQFELQ1kN4tiz3B8hB0RAmbRAKCjSGPimVILVwHrLm8J/x7fKpdC1wCgjltK
GfuAPQMcWqA9ro8zEIUi/NA=
=EtqJ
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--