Re: Sniffing my broadband connection to my ISP ??? [7:30689]
Cable modem is a shared medium and you do not have the bandwidth on your segment to yourself. You could compare it to ethernet for practical purposes. The k1d ""Phil Barker"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi Group, > I have been sniffing my broadband connection to > my ISP today and have a few questions. > > My main gripe is that I'm being sent around 100 > Arp requests per minute, which obviously I cannot > resolve. These ARP requests are all originating from > my default G/W at the ISP trying to resolve MAC > addresses of various users. Can anyone confirm if this > is usual or unusual. I cannot see this being correct > since if I set my router up to be one of these IP > addresses I can resolve it to my MAC address Eth 0 > int' or any other mac-address for that matter. > > They also send me DHCP requests, IGMP requests > for group 224.0.0.1 (Which I wish I could join) but > cannot and lots of their private address information > via the above mentioned ARP's. > > I also captured an attemt at an inbound TCP > connection on a dynamic port which my router RST, > thankfully. > > Are they wasting my B/W ? > > Thanx, > > Phil > > > > > > __ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30690&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
It sounds like you are sharing the broadcast domain with a bunch of other stations. The network is bridging on the edge. I think this is normal for cable modem systems. Is that what you are on? Priscilla At 12:23 PM 1/2/02, Phil Barker wrote: >Hi Group, > I have been sniffing my broadband connection to >my ISP today and have a few questions. > > My main gripe is that I'm being sent around 100 >Arp requests per minute, which obviously I cannot >resolve. These ARP requests are all originating from >my default G/W at the ISP trying to resolve MAC >addresses of various users. Can anyone confirm if this >is usual or unusual. I cannot see this being correct >since if I set my router up to be one of these IP >addresses I can resolve it to my MAC address Eth 0 >int' or any other mac-address for that matter. > > They also send me DHCP requests, IGMP requests >for group 224.0.0.1 (Which I wish I could join) but >cannot and lots of their private address information >via the above mentioned ARP's. > > I also captured an attemt at an inbound TCP >connection on a dynamic port which my router RST, >thankfully. > > Are they wasting my B/W ? > >Thanx, > >Phil > > > > > >__ >Do You Yahoo!? >Everything you'll ever need on one web page >from News and Sport to Email and Music Charts >http://uk.my.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30708&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
Hi, Just to expand on this... The 224.0.0.1 multicast query you're seeing is coming from the cable modem I bet. I have a Surfboard 3100 cable modem and it sends out IGMP queries on 224.0.0.1 frequently. I'm not sure why the cable modem is doing multicast and haven't really looked into it. I think it may only be local to the LAN interface toward your PC but not 100% positive. You can use your web browser to view the log and status of the SB3100 cable modem by the way, you can see the IP in the sniffer trace. If the ARP requests are originating from the ISP default-gateway (first hop router for you) then maybe they have proxy arp enabled. The DHCP requests could be from other users on your segment, or maybe forwarded to a DHCP server on your segment from another segment. Also, since you're on a shared segment with others they may have set up their own networks, etc with their own address space, etc that you might see packets from. Erick --- Priscilla Oppenheimer wrote: > It sounds like you are sharing the broadcast domain > with a bunch of other > stations. The network is bridging on the edge. I > think this is normal for > cable modem systems. Is that what you are on? > > Priscilla > > At 12:23 PM 1/2/02, Phil Barker wrote: > >Hi Group, > > I have been sniffing my broadband connection > to > >my ISP today and have a few questions. > > > > My main gripe is that I'm being sent around > 100 > >Arp requests per minute, which obviously I cannot > >resolve. These ARP requests are all originating > from > >my default G/W at the ISP trying to resolve MAC > >addresses of various users. Can anyone confirm if > this > >is usual or unusual. I cannot see this being > correct > >since if I set my router up to be one of these IP > >addresses I can resolve it to my MAC address Eth 0 > >int' or any other mac-address for that matter. > > > > They also send me DHCP requests, IGMP > requests > >for group 224.0.0.1 (Which I wish I could join) but > >cannot and lots of their private address > information > >via the above mentioned ARP's. > > > > I also captured an attemt at an inbound TCP > >connection on a dynamic port which my router RST, > >thankfully. > > > > Are they wasting my B/W ? > > > >Thanx, > > > >Phil > > > > > > > > > > > >__ > >Do You Yahoo!? > >Everything you'll ever need on one web page > >from News and Sport to Email and Music Charts > >http://uk.my.yahoo.com > > > Priscilla Oppenheimer > http://www.priscilla.com [EMAIL PROTECTED] __ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30712&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
Having proxy ARP enabled on the router would cause the router to send ARP replies not requests. The fact that he sees ARP requests isn't surprising. He's on a shared network. On a shared network you see all the ARP requests from your local router to devices on your network. Priscilla At 05:24 PM 1/2/02, Erick B. wrote: >Hi, > >Just to expand on this... > >The 224.0.0.1 multicast query you're seeing is coming >from the cable modem I bet. I have a Surfboard 3100 >cable modem and it sends out IGMP queries on 224.0.0.1 >frequently. I'm not sure why the cable modem is doing >multicast and haven't really looked into it. I think >it may only be local to the LAN interface toward your >PC but not 100% positive. You can use your web browser >to view the log and status of the SB3100 cable modem >by the way, you can see the IP in the sniffer trace. > >If the ARP requests are originating from the ISP >default-gateway (first hop router for you) then maybe >they have proxy arp enabled. > >The DHCP requests could be from other users on your >segment, or maybe forwarded to a DHCP server on your >segment from another segment. > >Also, since you're on a shared segment with others >they may have set up their own networks, etc with >their own address space, etc that you might see >packets from. > >Erick > >--- Priscilla Oppenheimer wrote: > > It sounds like you are sharing the broadcast domain > > with a bunch of other > > stations. The network is bridging on the edge. I > > think this is normal for > > cable modem systems. Is that what you are on? > > > > Priscilla > > > > At 12:23 PM 1/2/02, Phil Barker wrote: > > >Hi Group, > > > I have been sniffing my broadband connection > > to > > >my ISP today and have a few questions. > > > > > > My main gripe is that I'm being sent around > > 100 > > >Arp requests per minute, which obviously I cannot > > >resolve. These ARP requests are all originating > > from > > >my default G/W at the ISP trying to resolve MAC > > >addresses of various users. Can anyone confirm if > > this > > >is usual or unusual. I cannot see this being > > correct > > >since if I set my router up to be one of these IP > > >addresses I can resolve it to my MAC address Eth 0 > > >int' or any other mac-address for that matter. > > > > > > They also send me DHCP requests, IGMP > > requests > > >for group 224.0.0.1 (Which I wish I could join) but > > >cannot and lots of their private address > > information > > >via the above mentioned ARP's. > > > > > > I also captured an attemt at an inbound TCP > > >connection on a dynamic port which my router RST, > > >thankfully. > > > > > > Are they wasting my B/W ? > > > > > >Thanx, > > > > > >Phil > > > > > > > > > > > > > > > > > >__ > > >Do You Yahoo!? > > >Everything you'll ever need on one web page > > >from News and Sport to Email and Music Charts > > >http://uk.my.yahoo.com > > > > > > Priscilla Oppenheimer > > http://www.priscilla.com >[EMAIL PROTECTED] > > >__ >Do You Yahoo!? >Send your FREE holiday greetings online! >http://greetings.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30717&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
Erick, you are seeing 224.0.0.1 Multicast Queries because 224.0.0.1 is reserved for "all systems on segment." This is the IP that the IGMP queries are going out to allowing the Router to determine if it needs to "request upstream" for any Multicast Streams. It is pretty common to see that.. Mike ""Erick B."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > Just to expand on this... > > The 224.0.0.1 multicast query you're seeing is coming > from the cable modem I bet. I have a Surfboard 3100 > cable modem and it sends out IGMP queries on 224.0.0.1 > frequently. I'm not sure why the cable modem is doing > multicast and haven't really looked into it. I think > it may only be local to the LAN interface toward your > PC but not 100% positive. You can use your web browser > to view the log and status of the SB3100 cable modem > by the way, you can see the IP in the sniffer trace. > > If the ARP requests are originating from the ISP > default-gateway (first hop router for you) then maybe > they have proxy arp enabled. > > The DHCP requests could be from other users on your > segment, or maybe forwarded to a DHCP server on your > segment from another segment. > > Also, since you're on a shared segment with others > they may have set up their own networks, etc with > their own address space, etc that you might see > packets from. > > Erick > > --- Priscilla Oppenheimer wrote: > > It sounds like you are sharing the broadcast domain > > with a bunch of other > > stations. The network is bridging on the edge. I > > think this is normal for > > cable modem systems. Is that what you are on? > > > > Priscilla > > > > At 12:23 PM 1/2/02, Phil Barker wrote: > > >Hi Group, > > > I have been sniffing my broadband connection > > to > > >my ISP today and have a few questions. > > > > > > My main gripe is that I'm being sent around > > 100 > > >Arp requests per minute, which obviously I cannot > > >resolve. These ARP requests are all originating > > from > > >my default G/W at the ISP trying to resolve MAC > > >addresses of various users. Can anyone confirm if > > this > > >is usual or unusual. I cannot see this being > > correct > > >since if I set my router up to be one of these IP > > >addresses I can resolve it to my MAC address Eth 0 > > >int' or any other mac-address for that matter. > > > > > > They also send me DHCP requests, IGMP > > requests > > >for group 224.0.0.1 (Which I wish I could join) but > > >cannot and lots of their private address > > information > > >via the above mentioned ARP's. > > > > > > I also captured an attemt at an inbound TCP > > >connection on a dynamic port which my router RST, > > >thankfully. > > > > > > Are they wasting my B/W ? > > > > > >Thanx, > > > > > >Phil > > > > > > > > > > > > > > > > > >__ > > >Do You Yahoo!? > > >Everything you'll ever need on one web page > > >from News and Sport to Email and Music Charts > > >http://uk.my.yahoo.com > > > > > > Priscilla Oppenheimer > > http://www.priscilla.com > [EMAIL PROTECTED] > > > __ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30720&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Sniffing my broadband connection to my ISP ??? [7:30689]
Priscilla, Wouldn't proxy ARP generate an ARP request and an ARP reply if the source and target networks were directly connected to the router? -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 02, 2002 3:54 PM To: [EMAIL PROTECTED] Subject: Re: Sniffing my broadband connection to my ISP ??? [7:30689] Having proxy ARP enabled on the router would cause the router to send ARP replies not requests. The fact that he sees ARP requests isn't surprising. He's on a shared network. On a shared network you see all the ARP requests from your local router to devices on your network. Priscilla At 05:24 PM 1/2/02, Erick B. wrote: >Hi, > >Just to expand on this... > >The 224.0.0.1 multicast query you're seeing is coming >from the cable modem I bet. I have a Surfboard 3100 >cable modem and it sends out IGMP queries on 224.0.0.1 frequently. I'm >not sure why the cable modem is doing multicast and haven't really >looked into it. I think it may only be local to the LAN interface >toward your PC but not 100% positive. You can use your web browser >to view the log and status of the SB3100 cable modem >by the way, you can see the IP in the sniffer trace. > >If the ARP requests are originating from the ISP default-gateway (first >hop router for you) then maybe they have proxy arp enabled. > >The DHCP requests could be from other users on your >segment, or maybe forwarded to a DHCP server on your >segment from another segment. > >Also, since you're on a shared segment with others >they may have set up their own networks, etc with >their own address space, etc that you might see >packets from. > >Erick > >--- Priscilla Oppenheimer wrote: > > It sounds like you are sharing the broadcast domain > > with a bunch of other > > stations. The network is bridging on the edge. I > > think this is normal for > > cable modem systems. Is that what you are on? > > > > Priscilla > > > > At 12:23 PM 1/2/02, Phil Barker wrote: > > >Hi Group, > > > I have been sniffing my broadband connection > > to > > >my ISP today and have a few questions. > > > > > > My main gripe is that I'm being sent around > > 100 > > >Arp requests per minute, which obviously I cannot > > >resolve. These ARP requests are all originating > > from > > >my default G/W at the ISP trying to resolve MAC > > >addresses of various users. Can anyone confirm if > > this > > >is usual or unusual. I cannot see this being > > correct > > >since if I set my router up to be one of these IP addresses I can > > >resolve it to my MAC address Eth 0 int' or any other mac-address > > >for that matter. > > > > > > They also send me DHCP requests, IGMP > > requests > > >for group 224.0.0.1 (Which I wish I could join) but > > >cannot and lots of their private address > > information > > >via the above mentioned ARP's. > > > > > > I also captured an attemt at an inbound TCP connection on a > > >dynamic port which my router RST, thankfully. > > > > > > Are they wasting my B/W ? > > > > > >Thanx, > > > > > >Phil > > > > > > > > > > > > > > > > > >__ > > >Do You Yahoo!? > > >Everything you'll ever need on one web page > > >from News and Sport to Email and Music Charts > > >http://uk.my.yahoo.com > > > > > > Priscilla Oppenheimer > > http://www.priscilla.com >[EMAIL PROTECTED] > > >__ >Do You Yahoo!? >Send your FREE holiday greetings online! http://greetings.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30722&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
As everyone else has said, this is normal for a shared access netowrk. Look for routing protocol updates and other things as well . On ATT's cable-modem network you can see the ospf hello updates, who the DR and BDR is and other things. It can be fun. Try dsniff or some other program and you can see all the traffic on that network :) Be careful though because you will probably get slammed and don't forget to reroute the traffic back out or else someone will know something is wrong. ""Phil Barker"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi Group, > I have been sniffing my broadband connection to > my ISP today and have a few questions. > > My main gripe is that I'm being sent around 100 > Arp requests per minute, which obviously I cannot > resolve. These ARP requests are all originating from > my default G/W at the ISP trying to resolve MAC > addresses of various users. Can anyone confirm if this > is usual or unusual. I cannot see this being correct > since if I set my router up to be one of these IP > addresses I can resolve it to my MAC address Eth 0 > int' or any other mac-address for that matter. > > They also send me DHCP requests, IGMP requests > for group 224.0.0.1 (Which I wish I could join) but > cannot and lots of their private address information > via the above mentioned ARP's. > > I also captured an attemt at an inbound TCP > connection on a dynamic port which my router RST, > thankfully. > > Are they wasting my B/W ? > > Thanx, > > Phil > > > > > > __ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30725&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Sniffing my broadband connection to my ISP ??? [7:30689]
At 04:37 PM 1/2/02, Jim Brown wrote: >Priscilla, > >Wouldn't proxy ARP generate an ARP request and an ARP reply if the source >and target networks were directly connected to the router? No. Proxy ARP causes the router to generate ARP replies. It has no effect on ARP requests. ARP requests are generated by normal ARP when a node tries to find the MAC address of another station. They are generated by end stations and by the router. The router has to find the MAC address just like any other station does. He is sniffing on the broadband connection which presumably is shared by all hosts in his "area" (sometimes called a node in cable modem designs). He can see their ARPs and he can see the router's ARPs. Proxy ARP allows devices to communicate with devices on the other side of the router without having to know that the router is there. In this case, end stations send ARP requests for local and non-local devices. For non-local addresses, the router responds with its own MAC address. Priscilla >-Original Message- >From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, January 02, 2002 3:54 PM >To: [EMAIL PROTECTED] >Subject: Re: Sniffing my broadband connection to my ISP ??? [7:30689] > > >Having proxy ARP enabled on the router would cause the router to send ARP >replies not requests. > >The fact that he sees ARP requests isn't surprising. He's on a shared >network. On a shared network you see all the ARP requests from your local >router to devices on your network. > >Priscilla > >At 05:24 PM 1/2/02, Erick B. wrote: > >Hi, > > > >Just to expand on this... > > > >The 224.0.0.1 multicast query you're seeing is coming > >from the cable modem I bet. I have a Surfboard 3100 > >cable modem and it sends out IGMP queries on 224.0.0.1 frequently. I'm > >not sure why the cable modem is doing multicast and haven't really > >looked into it. I think it may only be local to the LAN interface > >toward your PC but not 100% positive. You can use your web browser > >to view the log and status of the SB3100 cable modem > >by the way, you can see the IP in the sniffer trace. > > > >If the ARP requests are originating from the ISP default-gateway (first > >hop router for you) then maybe they have proxy arp enabled. > > > >The DHCP requests could be from other users on your > >segment, or maybe forwarded to a DHCP server on your > >segment from another segment. > > > >Also, since you're on a shared segment with others > >they may have set up their own networks, etc with > >their own address space, etc that you might see > >packets from. > > > >Erick > > > >--- Priscilla Oppenheimer wrote: > > > It sounds like you are sharing the broadcast domain > > > with a bunch of other > > > stations. The network is bridging on the edge. I > > > think this is normal for > > > cable modem systems. Is that what you are on? > > > > > > Priscilla > > > > > > At 12:23 PM 1/2/02, Phil Barker wrote: > > > >Hi Group, > > > > I have been sniffing my broadband connection > > > to > > > >my ISP today and have a few questions. > > > > > > > > My main gripe is that I'm being sent around > > > 100 > > > >Arp requests per minute, which obviously I cannot > > > >resolve. These ARP requests are all originating > > > from > > > >my default G/W at the ISP trying to resolve MAC > > > >addresses of various users. Can anyone confirm if > > > this > > > >is usual or unusual. I cannot see this being > > > correct > > > >since if I set my router up to be one of these IP addresses I can > > > >resolve it to my MAC address Eth 0 int' or any other mac-address > > > >for that matter. > > > > > > > > They also send me DHCP requests, IGMP > > > requests > > > >for group 224.0.0.1 (Which I wish I could join) but > > > >cannot and lots of their private address > > > information > > > >via the above mentioned ARP's. > > > > > > > > I also captured an attemt at an inbound TCP connection on a > > > >dynamic port which my router RST, thankfully. > > > > > > > > Are they wasting my B/W ? > > > > > > > >Thanx, > > > > > > > >Phil > > > > > > > > > > > > > > > > > > > > > > > >__
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
At 06:42 PM 1/2/02, Steven A. Ridder wrote: >As everyone else has said, this is normal for a shared access netowrk. Look >for routing protocol updates and other things as well . On ATT's >cable-modem network you can see the ospf hello updates, who the DR and BDR >is and other things. Yep, that's true. So now we have synergy between this thread and the Passive Interface thread! I like that! ;-) Making the cable interface a passive interface seems like a good idea for many reasons, including security and not just bandwidth usage. (The bandwidth used by Hellos has gotta be pretty minimal!) >It can be fun. A lot of people report seeing other broadcasts too, including NetBIOS, AppleTalk, etc. It's kind of scary. >Try dsniff or some other program and >you can see all the traffic on that network :) Be careful though because >you will probably get slammed and don't forget to reroute the traffic back >out or else someone will know something is wrong. What's dsniff? What does that let you see? And what's this about having to reroute? Can you tell us more? THANKS Priscilla >""Phil Barker"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi Group, > > I have been sniffing my broadband connection to > > my ISP today and have a few questions. > > > > My main gripe is that I'm being sent around 100 > > Arp requests per minute, which obviously I cannot > > resolve. These ARP requests are all originating from > > my default G/W at the ISP trying to resolve MAC > > addresses of various users. Can anyone confirm if this > > is usual or unusual. I cannot see this being correct > > since if I set my router up to be one of these IP > > addresses I can resolve it to my MAC address Eth 0 > > int' or any other mac-address for that matter. > > > > They also send me DHCP requests, IGMP requests > > for group 224.0.0.1 (Which I wish I could join) but > > cannot and lots of their private address information > > via the above mentioned ARP's. > > > > I also captured an attemt at an inbound TCP > > connection on a dynamic port which my router RST, > > thankfully. > > > > Are they wasting my B/W ? > > > > Thanx, > > > > Phil > > > > > > > > > > > > __ > > Do You Yahoo!? > > Everything you'll ever need on one web page > > from News and Sport to Email and Music Charts > > http://uk.my.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30732&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
Dsniff uses icmp default gateway redirects (the ICMP message that tells hosts that a differnt router has a better path to the destination network). This will automatically make the user's PC redirect all traffic to your PC dynamically (the client never knows about it), because he thinks you are a router and that you'd be a better default gateway. You just have to have a multihomed PC because you still need to forward the traffic to the destination, otherwise you'll get caught. It's a pretty good hacking tool and has been ported from *nix to Windows for years. Makes switches just like hubs again. Use this with L0phtCrack and you can get NT PW's, etc.. ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 06:42 PM 1/2/02, Steven A. Ridder wrote: > >As everyone else has said, this is normal for a shared access netowrk. Look > >for routing protocol updates and other things as well . On ATT's > >cable-modem network you can see the ospf hello updates, who the DR and BDR > >is and other things. > > Yep, that's true. > > So now we have synergy between this thread and the Passive Interface > thread! I like that! ;-) > > Making the cable interface a passive interface seems like a good idea for > many reasons, including security and not just bandwidth usage. (The > bandwidth used by Hellos has gotta be pretty minimal!) > > >It can be fun. > > A lot of people report seeing other broadcasts too, including NetBIOS, > AppleTalk, etc. It's kind of scary. > > >Try dsniff or some other program and > >you can see all the traffic on that network :) Be careful though because > >you will probably get slammed and don't forget to reroute the traffic back > >out or else someone will know something is wrong. > > What's dsniff? What does that let you see? And what's this about having to > reroute? Can you tell us more? THANKS > > Priscilla > > > > > >""Phil Barker"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi Group, > > > I have been sniffing my broadband connection to > > > my ISP today and have a few questions. > > > > > > My main gripe is that I'm being sent around 100 > > > Arp requests per minute, which obviously I cannot > > > resolve. These ARP requests are all originating from > > > my default G/W at the ISP trying to resolve MAC > > > addresses of various users. Can anyone confirm if this > > > is usual or unusual. I cannot see this being correct > > > since if I set my router up to be one of these IP > > > addresses I can resolve it to my MAC address Eth 0 > > > int' or any other mac-address for that matter. > > > > > > They also send me DHCP requests, IGMP requests > > > for group 224.0.0.1 (Which I wish I could join) but > > > cannot and lots of their private address information > > > via the above mentioned ARP's. > > > > > > I also captured an attemt at an inbound TCP > > > connection on a dynamic port which my router RST, > > > thankfully. > > > > > > Are they wasting my B/W ? > > > > > > Thanx, > > > > > > Phil > > > > > > > > > > > > > > > > > > __ > > > Do You Yahoo!? > > > Everything you'll ever need on one web page > > > from News and Sport to Email and Music Charts > > > http://uk.my.yahoo.com > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30736&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
I read up on it. It appears to have been developed for beneficial purposes but is also a hacker tool. The written material says its a set of tools actually The relevant one uses ARP, not ICMP. (There was no mention of ICMP being used.) It sends an ARP reply for the IP address of the default gateway. Actually it can send an ARP reply for anything. There's no need to be multihomed, but IP forwarding must be enabled or you'll get caught, as you say, (plus you wouldn't see anything because the target would loose its connections). Priscilla At 07:43 PM 1/2/02, Steven A. Ridder wrote: >Dsniff uses icmp default gateway redirects (the ICMP message that tells >hosts that a differnt router has a better path to the destination network). >This will automatically make the user's PC redirect all traffic to your PC >dynamically (the client never knows about it), because he thinks you are a >router and that you'd be a better default gateway. You just have to have a >multihomed PC because you still need to forward the traffic to the >destination, otherwise you'll get caught. > >It's a pretty good hacking tool and has been ported from *nix to Windows for >years. Makes switches just like hubs again. Use this with L0phtCrack and >you can get NT PW's, etc.. > > >""Priscilla Oppenheimer"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At 06:42 PM 1/2/02, Steven A. Ridder wrote: > > >As everyone else has said, this is normal for a shared access netowrk. >Look > > >for routing protocol updates and other things as well . On ATT's > > >cable-modem network you can see the ospf hello updates, who the DR and >BDR > > >is and other things. > > > > Yep, that's true. > > > > So now we have synergy between this thread and the Passive Interface > > thread! I like that! ;-) > > > > Making the cable interface a passive interface seems like a good idea for > > many reasons, including security and not just bandwidth usage. (The > > bandwidth used by Hellos has gotta be pretty minimal!) > > > > >It can be fun. > > > > A lot of people report seeing other broadcasts too, including NetBIOS, > > AppleTalk, etc. It's kind of scary. > > > > >Try dsniff or some other program and > > >you can see all the traffic on that network :) Be careful though >because > > >you will probably get slammed and don't forget to reroute the traffic >back > > >out or else someone will know something is wrong. > > > > What's dsniff? What does that let you see? And what's this about having to > > reroute? Can you tell us more? THANKS > > > > Priscilla > > > > > > > > > > >""Phil Barker"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Hi Group, > > > > I have been sniffing my broadband connection to > > > > my ISP today and have a few questions. > > > > > > > > My main gripe is that I'm being sent around 100 > > > > Arp requests per minute, which obviously I cannot > > > > resolve. These ARP requests are all originating from > > > > my default G/W at the ISP trying to resolve MAC > > > > addresses of various users. Can anyone confirm if this > > > > is usual or unusual. I cannot see this being correct > > > > since if I set my router up to be one of these IP > > > > addresses I can resolve it to my MAC address Eth 0 > > > > int' or any other mac-address for that matter. > > > > > > > > They also send me DHCP requests, IGMP requests > > > > for group 224.0.0.1 (Which I wish I could join) but > > > > cannot and lots of their private address information > > > > via the above mentioned ARP's. > > > > > > > > I also captured an attemt at an inbound TCP > > > > connection on a dynamic port which my router RST, > > > > thankfully. > > > > > > > > Are they wasting my B/W ? > > > > > > > > Thanx, > > > > > > > > Phil > > > > > > > > > > > > > > > > > > > > > > > > __ > > > > Do You Yahoo!? > > > > Everything you'll ever need on one web page > > > > from News and Sport to Email and Music Charts > > > > http://uk.my.yahoo.com > > > > > > Priscilla Oppenheimer > > http://www.priscilla.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30743&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
i guess I got them mixed up. Now I can't remember the tool that uses ICMP redirects to do the same thing. I thought the other one did the arp spoofing. I'll try and find it as it's more clever. ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I read up on it. It appears to have been developed for beneficial purposes > but is also a hacker tool. The written material says its a set of tools > actually The relevant one uses ARP, not ICMP. (There was no mention of ICMP > being used.) It sends an ARP reply for the IP address of the default > gateway. Actually it can send an ARP reply for anything. There's no need to > be multihomed, but IP forwarding must be enabled or you'll get caught, as > you say, (plus you wouldn't see anything because the target would loose its > connections). > > Priscilla > > At 07:43 PM 1/2/02, Steven A. Ridder wrote: > >Dsniff uses icmp default gateway redirects (the ICMP message that tells > >hosts that a differnt router has a better path to the destination network). > >This will automatically make the user's PC redirect all traffic to your PC > >dynamically (the client never knows about it), because he thinks you are a > >router and that you'd be a better default gateway. You just have to have a > >multihomed PC because you still need to forward the traffic to the > >destination, otherwise you'll get caught. > > > >It's a pretty good hacking tool and has been ported from *nix to Windows for > >years. Makes switches just like hubs again. Use this with L0phtCrack and > >you can get NT PW's, etc.. > > > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > At 06:42 PM 1/2/02, Steven A. Ridder wrote: > > > >As everyone else has said, this is normal for a shared access netowrk. > >Look > > > >for routing protocol updates and other things as well . On ATT's > > > >cable-modem network you can see the ospf hello updates, who the DR and > >BDR > > > >is and other things. > > > > > > Yep, that's true. > > > > > > So now we have synergy between this thread and the Passive Interface > > > thread! I like that! ;-) > > > > > > Making the cable interface a passive interface seems like a good idea for > > > many reasons, including security and not just bandwidth usage. (The > > > bandwidth used by Hellos has gotta be pretty minimal!) > > > > > > >It can be fun. > > > > > > A lot of people report seeing other broadcasts too, including NetBIOS, > > > AppleTalk, etc. It's kind of scary. > > > > > > >Try dsniff or some other program and > > > >you can see all the traffic on that network :) Be careful though > >because > > > >you will probably get slammed and don't forget to reroute the traffic > >back > > > >out or else someone will know something is wrong. > > > > > > What's dsniff? What does that let you see? And what's this about having > to > > > reroute? Can you tell us more? THANKS > > > > > > Priscilla > > > > > > > > > > > > > > > >""Phil Barker"" wrote in message > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > Hi Group, > > > > > I have been sniffing my broadband connection to > > > > > my ISP today and have a few questions. > > > > > > > > > > My main gripe is that I'm being sent around 100 > > > > > Arp requests per minute, which obviously I cannot > > > > > resolve. These ARP requests are all originating from > > > > > my default G/W at the ISP trying to resolve MAC > > > > > addresses of various users. Can anyone confirm if this > > > > > is usual or unusual. I cannot see this being correct > > > > > since if I set my router up to be one of these IP > > > > > addresses I can resolve it to my MAC address Eth 0 > > > > > int' or any other mac-address for that matter. > > > > > > > > > > They also send me DHCP requests, IGMP requests > > > > > for group 224.0.0.1 (Which I wish I could join) but > > > > > cannot and lots of their private address information > > > > > via the above mentioned ARP's. > > > > > > > > > > I also captured an attemt at an inbound TCP > > > > > connection on a dynamic port which my router RST, > > > > > thankfully. > > > > > > > > > > Are they wasting my B/W ? > > > > > > > > > > Thanx, > > > > > > > > > > Phil > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __ > > > > > Do You Yahoo!? > > > > > Everything you'll ever need on one web page > > > > > from News and Sport to Email and Music Charts > > > > > http://uk.my.yahoo.com > > > > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30774&t=30689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL
Re: Sniffing my broadband connection to my ISP ??? [7:30689]
Thanx for all the posts. Didn't see the posts yesterday so could'nt take part. The Server may have been throwing a wobbly. Yes, I'm on cable (Surfboard 4100). Just getting my head around not being alone and sharing the broadcast domain. My setup is PC->Hub wrote: > I read up on it. It appears to have been developed > for beneficial purposes > but is also a hacker tool. The written material says > its a set of tools > actually The relevant one uses ARP, not ICMP. (There > was no mention of ICMP > being used.) It sends an ARP reply for the IP > address of the default > gateway. Actually it can send an ARP reply for > anything. There's no need to > be multihomed, but IP forwarding must be enabled or > you'll get caught, as > you say, (plus you wouldn't see anything because the > target would loose its > connections). > > Priscilla > > At 07:43 PM 1/2/02, Steven A. Ridder wrote: > >Dsniff uses icmp default gateway redirects (the > ICMP message that tells > >hosts that a differnt router has a better path to > the destination network). > >This will automatically make the user's PC redirect > all traffic to your PC > >dynamically (the client never knows about it), > because he thinks you are a > >router and that you'd be a better default gateway. > You just have to have a > >multihomed PC because you still need to forward the > traffic to the > >destination, otherwise you'll get caught. > > > >It's a pretty good hacking tool and has been ported > from *nix to Windows for > >years. Makes switches just like hubs again. Use > this with L0phtCrack and > >you can get NT PW's, etc.. > > > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > At 06:42 PM 1/2/02, Steven A. Ridder wrote: > > > >As everyone else has said, this is normal for a > shared access netowrk. > >Look > > > >for routing protocol updates and other things > as well . On ATT's > > > >cable-modem network you can see the ospf hello > updates, who the DR and > >BDR > > > >is and other things. > > > > > > Yep, that's true. > > > > > > So now we have synergy between this thread and > the Passive Interface > > > thread! I like that! ;-) > > > > > > Making the cable interface a passive interface > seems like a good idea for > > > many reasons, including security and not just > bandwidth usage. (The > > > bandwidth used by Hellos has gotta be pretty > minimal!) > > > > > > >It can be fun. > > > > > > A lot of people report seeing other broadcasts > too, including NetBIOS, > > > AppleTalk, etc. It's kind of scary. > > > > > > >Try dsniff or some other program and > > > >you can see all the traffic on that network :) > Be careful though > >because > > > >you will probably get slammed and don't forget > to reroute the traffic > >back > > > >out or else someone will know something is > wrong. > > > > > > What's dsniff? What does that let you see? And > what's this about having > to > > > reroute? Can you tell us more? THANKS > > > > > > Priscilla > > > > > > > > > > > > > > > >""Phil Barker"" wrote in message > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > Hi Group, > > > > > I have been sniffing my broadband > connection to > > > > > my ISP today and have a few questions. > > > > > > > > > > My main gripe is that I'm being sent > around 100 > > > > > Arp requests per minute, which obviously I > cannot > > > > > resolve. These ARP requests are all > originating from > > > > > my default G/W at the ISP trying to resolve > MAC > > > > > addresses of various users. Can anyone > confirm if this > > > > > is usual or unusual. I cannot see this being > correct > > > > > since if I set my router up to be one of > these IP > > > > > addresses I can resolve it to my MAC address > Eth 0 > > > > > int' or any other mac-address for that > matter. > > > > > > > > > > They also send me DHCP requests, IGMP > requests > > > > > for group 224.0.0.1 (Which I wish I could > join) but > > > > > cannot and lots of their private address > information > > > > > via the above mentioned ARP's. > > > > > > > > > > I also captured an attemt at an inbound > TCP > > > > > connection on a dynamic port which my router > RST, > > > > > thankfully. > > > > > > > > > > Are they wasting my B/W ? > > > > > > > > > > Thanx, > > > > > > > > > > Phil > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __ > > > > > Do You Yahoo!? > > > > > Everything you'll ever need on one web page > > > > > from News and Sport to Email and Music > Charts > > > > > http://uk.my.yahoo.com > > > > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com > > > Priscilla Oppenheimer > http://www.priscilla.com [EMAIL PROTECTED] __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
RE: Sniffing my broadband connection to my ISP ??? [7:30689]
O.K. let me rephrase this, A router would generate and ARP request and ARP reply if the source network and destination network were directly attached and proxy ARP were enabled. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 02, 2002 5:08 PM To: [EMAIL PROTECTED] Subject: RE: Sniffing my broadband connection to my ISP ??? [7:30689] At 04:37 PM 1/2/02, Jim Brown wrote: >Priscilla, > >Wouldn't proxy ARP generate an ARP request and an ARP reply if the >source and target networks were directly connected to the router? No. Proxy ARP causes the router to generate ARP replies. It has no effect on ARP requests. ARP requests are generated by normal ARP when a node tries to find the MAC address of another station. They are generated by end stations and by the router. The router has to find the MAC address just like any other station does. He is sniffing on the broadband connection which presumably is shared by all hosts in his "area" (sometimes called a node in cable modem designs). He can see their ARPs and he can see the router's ARPs. Proxy ARP allows devices to communicate with devices on the other side of the router without having to know that the router is there. In this case, end stations send ARP requests for local and non-local devices. For non-local addresses, the router responds with its own MAC address. Priscilla >-Original Message- >From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, January 02, 2002 3:54 PM >To: [EMAIL PROTECTED] >Subject: Re: Sniffing my broadband connection to my ISP ??? [7:30689] > > >Having proxy ARP enabled on the router would cause the router to send >ARP replies not requests. > >The fact that he sees ARP requests isn't surprising. He's on a shared >network. On a shared network you see all the ARP requests from your >local router to devices on your network. > >Priscilla > >At 05:24 PM 1/2/02, Erick B. wrote: > >Hi, > > > >Just to expand on this... > > > >The 224.0.0.1 multicast query you're seeing is coming > >from the cable modem I bet. I have a Surfboard 3100 > >cable modem and it sends out IGMP queries on 224.0.0.1 frequently. > >I'm not sure why the cable modem is doing multicast and haven't > >really looked into it. I think it may only be local to the LAN > >interface toward your PC but not 100% positive. You can use your web > >browser to view the log and status of the SB3100 cable modem by the > >way, you can see the IP in the sniffer trace. > > > >If the ARP requests are originating from the ISP default-gateway > >(first hop router for you) then maybe they have proxy arp enabled. > > > >The DHCP requests could be from other users on your > >segment, or maybe forwarded to a DHCP server on your > >segment from another segment. > > > >Also, since you're on a shared segment with others > >they may have set up their own networks, etc with > >their own address space, etc that you might see > >packets from. > > > >Erick > > > >--- Priscilla Oppenheimer wrote: > > > It sounds like you are sharing the broadcast domain > > > with a bunch of other > > > stations. The network is bridging on the edge. I > > > think this is normal for > > > cable modem systems. Is that what you are on? > > > > > > Priscilla > > > > > > At 12:23 PM 1/2/02, Phil Barker wrote: > > > >Hi Group, > > > > I have been sniffing my broadband connection > > > to > > > >my ISP today and have a few questions. > > > > > > > > My main gripe is that I'm being sent around > > > 100 > > > >Arp requests per minute, which obviously I cannot resolve. These > > > >ARP requests are all originating > > > from > > > >my default G/W at the ISP trying to resolve MAC addresses of > > > >various users. Can anyone confirm if > > > this > > > >is usual or unusual. I cannot see this being > > > correct > > > >since if I set my router up to be one of these IP addresses I can > > > >resolve it to my MAC address Eth 0 int' or any other mac-address > > > >for that matter. > > > > > > > > They also send me DHCP requests, IGMP > > > requests > > > >for group 224.0.0.1 (Which I wish I could join) but cannot and > > > >lots of their private address > > > information > > > >via the above mentioned ARP's. > > > > > > > > I also cap
RE: Sniffing my broadband connection to my ISP ??? [7:30689]
Well, he's only sniffing on one network. He can't see the ARP requests going out the other side. Perhaps you're referring to a case where a single interface (the LAN on which he is sniffing) has more than one network on it using secondary addresses or subinterfaces. Priscilla At 10:44 AM 1/3/02, Jim Brown wrote: >O.K. let me rephrase this, A router would generate and ARP request and ARP >reply if the source network and destination network were directly attached >and proxy ARP were enabled. > >-Original Message- >From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, January 02, 2002 5:08 PM >To: [EMAIL PROTECTED] >Subject: RE: Sniffing my broadband connection to my ISP ??? [7:30689] > > >At 04:37 PM 1/2/02, Jim Brown wrote: > >Priscilla, > > > >Wouldn't proxy ARP generate an ARP request and an ARP reply if the > >source and target networks were directly connected to the router? > >No. Proxy ARP causes the router to generate ARP replies. It has no effect >on ARP requests. > >ARP requests are generated by normal ARP when a node tries to find the MAC >address of another station. They are generated by end stations and by the >router. The router has to find the MAC address just like any other station >does. > >He is sniffing on the broadband connection which presumably is shared by >all hosts in his "area" (sometimes called a node in cable modem designs). >He can see their ARPs and he can see the router's ARPs. > >Proxy ARP allows devices to communicate with devices on the other side of >the router without having to know that the router is there. In this case, >end stations send ARP requests for local and non-local devices. For >non-local addresses, the router responds with its own MAC address. > >Priscilla > > > > >-----Original Message- > >From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > >Sent: Wednesday, January 02, 2002 3:54 PM > >To: [EMAIL PROTECTED] > >Subject: Re: Sniffing my broadband connection to my ISP ??? [7:30689] > > > > > >Having proxy ARP enabled on the router would cause the router to send > >ARP replies not requests. > > > >The fact that he sees ARP requests isn't surprising. He's on a shared > >network. On a shared network you see all the ARP requests from your > >local router to devices on your network. > > > >Priscilla > > > >At 05:24 PM 1/2/02, Erick B. wrote: > > >Hi, > > > > > >Just to expand on this... > > > > > >The 224.0.0.1 multicast query you're seeing is coming > > >from the cable modem I bet. I have a Surfboard 3100 > > >cable modem and it sends out IGMP queries on 224.0.0.1 frequently. > > >I'm not sure why the cable modem is doing multicast and haven't > > >really looked into it. I think it may only be local to the LAN > > >interface toward your PC but not 100% positive. You can use your web > > >browser to view the log and status of the SB3100 cable modem by the > > >way, you can see the IP in the sniffer trace. > > > > > >If the ARP requests are originating from the ISP default-gateway > > >(first hop router for you) then maybe they have proxy arp enabled. > > > > > >The DHCP requests could be from other users on your > > >segment, or maybe forwarded to a DHCP server on your > > >segment from another segment. > > > > > >Also, since you're on a shared segment with others > > >they may have set up their own networks, etc with > > >their own address space, etc that you might see > > >packets from. > > > > > >Erick > > > > > >--- Priscilla Oppenheimer wrote: > > > > It sounds like you are sharing the broadcast domain > > > > with a bunch of other > > > > stations. The network is bridging on the edge. I > > > > think this is normal for > > > > cable modem systems. Is that what you are on? > > > > > > > > Priscilla > > > > > > > > At 12:23 PM 1/2/02, Phil Barker wrote: > > > > >Hi Group, > > > > > I have been sniffing my broadband connection > > > > to > > > > >my ISP today and have a few questions. > > > > > > > > > > My main gripe is that I'm being sent around > > > > 100 > > > > >Arp requests per minute, which obviously I cannot resolve. These > > > > >ARP requests are all originating > > > > from > > > > >my default G/W at
