Re: weird arps

Tue, 18 Oct 88 17:36:19 EDT

>I've been using tcpdump on a sun to filter on arps. The reason I'm
>doing this is to build a table of ether addresses for each ip-address, or
>hostname that I trap. While building the table, I'm flagging machines
>with duplicate ip addresses for a given ether add, and vice-versa.
>Thus far, I've noticed some pretty strange things on our net. I really
>don't understand where some of this stuff is coming from. I would appreciate
>any help in understanding what's going on. In the first example, I show
>arp who-has broadcasts from some computers with pretty strange addresses.
>(addresses like
>15:35:59.87 8:0:89:d0:1:1 ff:ff:ff:ff:ff:ff 0806
> 60: arp who-has tell
> [text deleted]
>Next, I have alot of computers that send out arps for the ether addresses of
>the net broadcast mask. What's going on here??
>16:24:31.52 2:60:8c:6:35:71 ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> tell
> [text deleted]
>I have seen both of the above quite frequently on our net. The latter case,
>braodcast for the broadcast mask occurs very regularly (I'm glad computers
>don't send responses to those!!!) Thanks in advance for any enlightening
>remarks on this.
> - Tom Corsetti

Your project sounds very similar to one that I have been working on for a
year or so now. It does exactly the same thing - building a list of ethernet
addresses, and recording any IP addresses in use. It also records all
protocol types being used by each system, and the types of destination
IP broadcast addresses seen in IP and ARP packets (all zeroes/ones,
network + zeroes/ones, subnet + zeroes/ones).

I have seen the same types of strangenesses on my network. There was
recent discussion somewhere about the first - these are being sent out
by Suns which boot across the network, during the boot process. I'd
like to see some more details about how the IP address is picked out.
If I remember right, this is no longer a problem with SunOS 4.0.

The latter (ARPs to a broadcast address) are sent out by hosts which aren't
configured to have the correct broadcast address themselves. I have seen
such ARPs with various combinations of mismatched broadcast address

Doug Nelson
Michigan State University

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:56 GMT