[Snort-users] ARP mangling:
cpw at ...440...
Tue May 22 14:45:56 EDT 2001
On Tue, May 22, 2001 at 01:35:59PM -0400, Terry Rankin wrote:
> I've been using Snort v1.7 on NT4 successfully for a few weeks on several
> networks with only one problem - all layer 3 info in ARP requests/replies
> appears to be getting mangled between reception and logging. The symptoms
> are as follows:
> 1. the target IP of the ARP request is always 188.8.131.52.
> 2. the sending IP of the ARP request varies, but about 75% claim to be from
> 184.108.40.206. To date, the last two octets are always 217.0.
> 3. no 'actual' ARP request layer 3 info is ever recorded to the log file -
> just the butchered info.
> 4. the ARP replies contain genuine layer 2 addresses.
What is you network configuration. ARP only applies to layer 2 (same link
layer). So, the stuff below, indicates you have a bunch of weird machines
on the same link as you all wanting to know about network 212.250.18.
What are the machines with the layer 2 addresses?
Can you get a tcpdump of this stuff?
> ARP who-has 220.127.116.11 tell 18.104.22.168.
> ARP who-has 22.214.171.124 tell 126.96.36.199
> ARP who-has 188.8.131.52 tell 184.108.40.206
> 05/21-12:15:05.144373 ARP reply 220.127.116.11 is-at 0:10:5A:XX:YY:ZZ.
> I've searched the obvious places for answers without any joy. I would be
> extremely grateful for further information.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users