[Snort-users] ARP WHo has?

John Sage jsage at ...2022...
Sun Sep 16 09:25:02 EDT 2001


ARP = Address Resolution Protocol

In order for a TCP/IP network to work, it also needs to know what 
hardware address packets should be sent to (i.e. the hardware address of 
the NIC in your computer..)

So this is one box broadcasting a request for the hardware address 
("who-has [the hardware address for] 0.0.0.0") and saying that the 
answer should be sent to it ("tell 0.0.0.0")

The response would be "arp reply 192.168.1.1 is at 0:a5:32:ae:40:21" or 
somesuch..

Are you actually seeing "0.0.0.0"?

It should be an actual IP address, methinks...

Sounds like you're running snort with the -e command line switch 
("Display/log the link layer packet headers")

You may want to turn that off; it get kinda boring after you've seen a 
few thousand of the same thing.

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."


Jason Withrow wrote:

> Sorry about the flood I am creating here, one last question.
> 
> What the heck is this ARP file that SNORT Keeps creating, it is filled
> with stuff like this:
> 
>         09/16-03:57:48.234413 ARP who-has 0.0.0.0 tell 0.0.0.0
> 
>         09/16-03:57:48.400994 ARP who-has 0.0.0.0 tell 0.0.0.0
> 
> 
> What is this stuff?
> 
> Thanks,
> 
> - J






More information about the Snort-users mailing list