weird arps


Tom Corsetti (dftsrv!tomc@ames.arc.nasa.gov)
17 Oct 88 16:46:20 GMT


Hi,
I've been using tcpdump on a sun to filter on arps. The reason I'm
doing this is to build a table of ether addresses for each ip-address, or
hostname that I trap. While building the table, I'm flagging machines
with duplicate ip addresses for a given ether add, and vice-versa.
Thus far, I've noticed some pretty strange things on our net. I really
don't understand where some of this stuff is coming from. I would appreciate
any help in understanding what's going on. In the first example, I show
arp who-has broadcasts from some computers with pretty strange addresses.
(addresses like 0.0.0.144):

15:35:59.87 8:0:89:d0:1:1 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.144 tell 0.0.0.6
15:35:59.91 8:0:89:d0:23:25 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.243 tell 0.0.0.144
15:53:20.64 8:0:89:c0:17:47 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.110 tell 0.0.0.142
15:53:20.64 8:0:89:d0:16:2 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.110 tell 0.0.0.70
15:53:20.64 8:0:89:d0:23:28 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.110 tell 0.0.0.147
15:53:20.64 8:0:89:d0:17:81 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.110 tell 0.0.0.200
15:53:20.66 8:0:89:d0:37:98 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.110 tell 0.0.0.66
15:53:20.66 8:0:89:d0:1:1 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.110 tell 0.0.0.6
15:53:20.68 8:0:89:d0:23:27 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.0.110 tell 0.0.0.146
10:37:37.56 sunjpg ff:ff:ff:ff:ff:ff 0806 60: arp who-has 0.0.120.149 tell 0.0.120.149

Next, I have alot of computers that send out arps for the ether addresses of
the net broadcast mask. What's going on here??

16:24:31.52 2:60:8c:6:35:71 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell vlsi2.gsfc.nasa.gov
16:46:24.74 8:0:20:1:90:df ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell ltpsun.gsfc.nasa.gov
16:46:24.74 2:60:8c:5:82:37 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell cad564.gsfc.nasa.gov
16:46:24.74 2:60:8c:6:35:71 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell vlsi2.gsfc.nasa.gov
16:46:24.76 2:60:8c:1:2:64 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell cad663.gsfc.nasa.gov
16:46:24.76 8:0:14:10:15:80 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell vlsi6.gsfc.nasa.gov
16:46:24.76 8:0:14:10:32:58 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell vlsi5.gsfc.nasa.gov
16:46:24.76 80:0:10:30:2e:6f ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell david.gsfc.nasa.gov
16:46:24.76 80:0:10:30:a:6b ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell dipac.gsfc.nasa.gov
16:46:24.76 80:0:10:30:2e:8a ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell dadc.gsfc.nasa.gov
16:46:24.80 aa:0:4:0:cb:18 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell censun1.gsfc.nasa.gov
10:15:30.78 2:60:8c:5:82:37 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.183.255.255 tell cad564.gsfc.nasa.gov

I have seen both of the above quite frequently on our net. The latter case,
braodcast for the broadcast mask occurs very regularly (I'm glad computers
don't send responses to those!!!) Thanks in advance for any enlightening
remarks on this.
                                                  - Tom Corsetti
                                                    tomc@dftsrv.gsfc.nasa.gov



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:56 GMT