[Snort-users] ARP WHo has?
jsage at ...2022...
Sun Sep 16 09:25:02 EDT 2001
ARP = Address Resolution Protocol
In order for a TCP/IP network to work, it also needs to know what
hardware address packets should be sent to (i.e. the hardware address of
the NIC in your computer..)
So this is one box broadcasting a request for the hardware address
("who-has [the hardware address for] 0.0.0.0") and saying that the
answer should be sent to it ("tell 0.0.0.0")
The response would be "arp reply 192.168.1.1 is at 0:a5:32:ae:40:21" or
Are you actually seeing "0.0.0.0"?
It should be an actual IP address, methinks...
Sounds like you're running snort with the -e command line switch
("Display/log the link layer packet headers")
You may want to turn that off; it get kinda boring after you've seen a
few thousand of the same thing.
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
Jason Withrow wrote:
> Sorry about the flood I am creating here, one last question.
> What the heck is this ARP file that SNORT Keeps creating, it is filled
> with stuff like this:
> 09/16-03:57:48.234413 ARP who-has 0.0.0.0 tell 0.0.0.0
> 09/16-03:57:48.400994 ARP who-has 0.0.0.0 tell 0.0.0.0
> What is this stuff?
> - J
More information about the Snort-users