Do you maybe have a network scanner running? Something trying to inventory
your network equipment?
-----Original Message-----
From: Ryan Russell [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, May 25, 1999 1:39 PM
To: Gerardo Soto
Cc: [EMAIL PROTECTED]
Subject: Re: how to figure out sniffer logs
>Why do the logs show arp replys to ip numbers that are not
>currently working . I mean , I have a class C network address , and
I
>have configured my domain with all the numbers and everything , but
by
>looking at the logs , I discovered arp replys to machines that are
not
>working ,and also arp replys to every single machine within my
domain .
You're seeing ARP requests, not replies. At least, for the logs you
sent.
>Is this normal?
Well... that's how a router tries to determine if the machine is
there..
it doesn't know otherwise.
>or is someone getting information about my network, (
>that is what I think ,) and if that is the case , how do I know who
is
>doing this requests ?
Quite possibly. Someone may be doing a ping sweep, or some
sort of port scan. If it's a dumb one, it's just going to try every
address.
To determine who is doing it, you'll have to do some debugging or
accounting on the router. You could also write an access-list to
trap access to non-existant IP addresses, and log it. Such an
access-list goes on the far side of the router from the subnet you
mentioned. Yet another choice is to configure a machine to answer
ARP
for non-existant addresses, and do some sniffing to see what comes
through.
The last option is useful if you don't control the router.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
