Running "nmap -A 192.168.2.131" should do the trick.
----- Original message ----- > Thanks Kyle, > > Nice suggestions. > > However, whenevever 192.168.2.131 requests fr the mac of 192.168.2.1, the > requests are sooo many that other hosts on the network just stop working. > > I am going to try identify the host and give it a thorough check. I did > not do the nmap however i will do that! > > Thanks for the input..appreciate. > > On 16 Sep 2011 18:05, "Kyle Spencer" <[email protected]> wrote: > > > > Hi Richard, > > > > As far as I know, no. The 'secure port' setting is about the best you > > can > do for ARP security. Though, judging by your tcpdump log, that's not the > problem. > > > > The tcpdump log shows that 192.168.2.131 is repeatedly asking for the > > MAC > address of 192.168.2.1 (and 192.168.2.1 responds each time). I wouldn't > assume this is malicious -- aside from the fact that ARP traffic is > commonplace on most networks, this particular exchange looks harmless. > > > > In any case, if a network host is really spamming ARP requests, I'd > recommend that you hunt it down and give it a full look-over. If > there's no problem with the OS/software, try replacing the NIC. > > > > As for the IP/DHCP issue, did you successfully ping the host which took > your IP after disconnecting? If so, did you nmap scan it, figure out > what its netbios name is, or otherwise attempt to identify it? Perhaps > your service outage is related to an IP conflict with another machine? > > > > On a side note: > > > > The real danger with ARP is a man-in-the-middle attack since there's no > security or verification mechanism in the protocol. For example, using > ARP, I can tell your computer to send all traffic destined for the > firewall to my MAC address. If I also tell the firewall to send all > traffic destined for your computer to my MAC address, I become a relay > point for traffic flowing between your computer and the firewall -- > which means I can sniff your traffic without you noticing. > > > > This is why the port security feature exists: if you restrict each > > switch > port to a single MAC address, individual computers can't pretend to be > two different machines as in the above example. > > > > Regards, > > Kyle Spencer > > > > > > ----- Original message ----- > > > Hey, > > > > > > I am experiencing some kind of ARP poisoning causing a DOS on my > network. > > > > > > I used wireshark to investigate the traffic on my network and > > > discovered a storm of arp broadcast traffic on my network. A tcpdump > > > too indicated the same thing. Sample tcpdump output is shown below: > > > > > > 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > > > length 46 > > > 16:10:12.270915 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > > > Unknown), length 28 > > > 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell 192.168.2.4, > > > length 46 > > > 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > > > length 46 > > > 16:10:12.270932 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > > > Unknown), length 28 > > > 16:10:12.270961 IP6 fe80::f561:405:1bcb:b766 > ff02::1:ffc3:9370: > > > ICMP6, neighbor solicitation, who has fe80::b699:baff:fec3:9370, > > > length 32 16:10:12.270965 IP 192.168.2.131.netbios-dgm > > 192.168.2.255.netbios-dgm: > > > NBT UDP PACKET(138) > > > 16:10:12.270974 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > > > length 46 > > > 16:10:12.270979 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > > > Unknown), length 28 > > > 16:10:12.270985 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > > > length 46 > > > > > > Now, interesting, hardly had I disconnected from the network than > another > > > machine assumed my ip address. When I checked the dhcp server, that > > > ip address had not yet been assigned to another machine on the > > > network. On reconnecting my laptop back to the network, the dhcp > > > server issued me with my original ip address, however, wireshark > > > indicated that their is > a > > > duplicate of my very ip address on the network. The dhcp server still > > > maintained my laptop is the only one using the ip address. This is > > > how I came to the conclusion I have an issue with ARP. > > > > > > So..right now, I have the mac address of the other machine on the > network > > > that is assuming to use my ip address and am hunting for it. However, > > > this doesn't seem to be the solution. > > > > > > I am also planning on implementing the port security feature on my > > > switches so that I have one mac address allowed per port. > > > > > > My question however is, is there any other way I can overcome this? > > > > > > > > > -- > > > Richard Zulu > > > gtug lead, Kampala (Uganda) > > > http://kampala.gtugs.org > > > <http://kampala.gtugs.org> > > > --------------------------------------------------------- > > > http://www.linkedin.com/in/richardzulu > > > http://www.twitter.com/richardzulu > > _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
