[Snort-users] ARP mangling:

Terry Rankin trankin at ...2080...
Tue May 22 15:06:59 EDT 2001


I used another NetMon in tandem with Snort and there are no actual ARP's for
the 212.250.18 net address. It appears that some software component/function
is rewriting the 'sender protocol address' and 'target protocol address'
fields of the ARP_RARP broadcast frame so that false IP data is written to
the log. Therefore, legitimate ARP's are being incorrectly interpreted
and/or appended to the Snort log file. The layer 3 info for ARP replies is
similarly mutated although the layer 2 info is legitimate. I have tested
this on several independent networks and the results are identical. The
problem is either a software issue ('libpcap' or 'snort') or related to how
the 'libpcap' s/w interacts with my NIC (AMD PCNET PCI 100bTX). Note: this
only happens for ARP traffic.


terry

-----Original Message-----
From: Phil Wood [mailto:cpw at ...440...]
Sent: Tuesday, May 22, 2001 2:46 PM
To: Terry Rankin
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ARP mangling:


On Tue, May 22, 2001 at 01:35:59PM -0400, Terry Rankin wrote:
> Hello,
> 
> 
> I've been using Snort v1.7 on NT4 successfully for a few weeks on several
> networks with only one problem - all layer 3 info in ARP requests/replies
> appears to be getting mangled between reception and logging. The symptoms
> are as follows: 
> 
> 1.  the target IP of the ARP request is always 212.250.18.0.
> 2.  the sending IP of the ARP request varies, but about 75% claim to be
from
> 116.0.217.0. To date, the last two octets are always 217.0.
> 3.  no 'actual' ARP request layer 3 info is ever recorded to the log file
-
> just the butchered info.
> 4.  the ARP replies contain genuine layer 2 addresses. 

What is you network configuration.  ARP only applies to layer 2 (same link
layer).  So, the stuff below, indicates you have a bunch of weird machines
on the same link as you all wanting to know about network 212.250.18.

What are the machines with the layer 2 addresses?

Can you get a tcpdump of this stuff?

> 
> Example:    
>   ARP who-has 212.250.18.0 tell 116.0.217.0.
>   ARP who-has 212.250.18.0 tell 196.0.217.0
>   ARP who-has 212.250.18.0 tell 124.3.217.0
>   05/21-12:15:05.144373 ARP reply 212.250.18.0 is-at 0:10:5A:XX:YY:ZZ.
> 
> I've searched the obvious places for answers without any joy. I would be
> extremely grateful for further information.
> 
> 
> Cheers,
> 
> 
> terry
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...




More information about the Snort-users mailing list