Snort mailing list archives

Re: ARP mangling:

From: Phil Wood <cpw () lanl gov>
Date: Tue, 22 May 2001 12:45:56 -0600

On Tue, May 22, 2001 at 01:35:59PM -0400, Terry Rankin wrote:

Hello,


I've been using Snort v1.7 on NT4 successfully for a few weeks on several
networks with only one problem - all layer 3 info in ARP requests/replies
appears to be getting mangled between reception and logging. The symptoms
are as follows: 

1.  the target IP of the ARP request is always 212.250.18.0.
2.  the sending IP of the ARP request varies, but about 75% claim to be from
116.0.217.0. To date, the last two octets are always 217.0.
3.  no 'actual' ARP request layer 3 info is ever recorded to the log file -
just the butchered info.
4.  the ARP replies contain genuine layer 2 addresses.


What is you network configuration.  ARP only applies to layer 2 (same link
layer).  So, the stuff below, indicates you have a bunch of weird machines
on the same link as you all wanting to know about network 212.250.18.

What are the machines with the layer 2 addresses?

Can you get a tcpdump of this stuff?


Example:    
  ARP who-has 212.250.18.0 tell 116.0.217.0.
  ARP who-has 212.250.18.0 tell 196.0.217.0
  ARP who-has 212.250.18.0 tell 124.3.217.0
  05/21-12:15:05.144373 ARP reply 212.250.18.0 is-at 0:10:5A:XX:YY:ZZ.

I've searched the obvious places for answers without any joy. I would be
extremely grateful for further information.


Cheers,


terry



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ARP mangling: Terry Rankin (May 22)
- Re: ARP mangling: Phil Wood (May 22)
- <Possible follow-ups>
- RE: ARP mangling: Terry Rankin (May 22)