[Snort-users] ARP mangling:
trankin at ...2080...
Tue May 22 13:35:59 EDT 2001
I've been using Snort v1.7 on NT4 successfully for a few weeks on several
networks with only one problem - all layer 3 info in ARP requests/replies
appears to be getting mangled between reception and logging. The symptoms
are as follows:
1. the target IP of the ARP request is always 184.108.40.206.
2. the sending IP of the ARP request varies, but about 75% claim to be from
220.127.116.11. To date, the last two octets are always 217.0.
3. no 'actual' ARP request layer 3 info is ever recorded to the log file -
just the butchered info.
4. the ARP replies contain genuine layer 2 addresses.
ARP who-has 18.104.22.168 tell 22.214.171.124.
ARP who-has 126.96.36.199 tell 188.8.131.52
ARP who-has 184.108.40.206 tell 220.127.116.11
05/21-12:15:05.144373 ARP reply 18.104.22.168 is-at 0:10:5A:XX:YY:ZZ.
I've searched the obvious places for answers without any joy. I would be
extremely grateful for further information.
More information about the Snort-users