Re: [expert] Re: mysterious incoming packets
Here are some articles Cable modems transmitting Ethernet broadcast packets to every subscriber on the neighborhood are a significant vulnerability, easily exploited by a technically savvy attacker. For example, using a freely available program called arpwatch, I can scan for the ARP packets and detect how many subscribers are on my cable segment. Since MediaOne has assigned host names that look a lot like user names (e.g. sjones.ne.mediaone.net), I can learn the names of my cyber-neighbors. I can also learn when the ARP packets are sent, and establish when my neighbors are using their computers -- and when they are at work. The ARP problem, meanwhile, will be solved by the next-generation cable modems that implement the so-called DOCSIS 1.1 protocol. Instead of broadcasting ARP packets over the entire cable segment, DOCSIS 1.1 makes sure that each customer will only see the ARP messages intended for his or her machine. As an added protection, DOCSIS 1.1 is capable of encrypting all information sent over the cable itself, with a separate encryption key for each customer. This security measure prevents an attacker from splicing their own cable modem into the backbone, the way that some people used to hook up unauthorized cable decoders to get free cable TV service A third issue with large bridging networks concerns security and what is known as Address Resolution Protocol, or ARP. In a bridging network, a broadcast is issued to every user-perhaps thousands-to locate a particular address. But perhaps another user chooses to write a simple program that listens for broadcast requests and erroneously replies that it is the intended recipient. This hacker can continue to intercept Bob's messages as long as he or she wishes, and nothing in the network will automatically prevent it. Brandon Caudle -- 15yr Old Avid Unix User (HP-UX,FreeBSD,Linux) From: 'Glenn Johnson' [EMAIL PROTECTED] To: Jose M. Sanchez [EMAIL PROTECTED] CC: 'Brandon Caudle' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [expert] Re: mysterious incoming packets Date: Sun, 5 Aug 2001 00:33:11 -0500 On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: It's unlikely that this is a problem given the relatively ARP low rate you are getting. A normal Cable modem node may have over 10,000 users. The head-end system has to update it's table of available (connected) IP's almost constantly. If you call the cable company, all you are going to get will be a yeah, well, this is normal. response... Well, that may be the case. The thing is though, it is not normal. I have had this cable modem service for about a year and this is the first time I have seen this behavior. Even today, this morning everything was normal (no activity) then at about noon CST the arp requests started flooding in. -- Glenn Johnson [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Re: [expert] Re: mysterious incoming packets
On Sun, 5 Aug 2001, 'Glenn Johnson' wrote: On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: It's unlikely that this is a problem given the relatively ARP low rate you are getting. A normal Cable modem node may have over 10,000 users. The head-end system has to update it's table of available (connected) IP's almost constantly. If you call the cable company, all you are going to get will be a yeah, well, this is normal. response... Well, that may be the case. The thing is though, it is not normal. I have had this cable modem service for about a year and this is the first time I have seen this behavior. Even today, this morning everything was normal (no activity) then at about noon CST the arp requests started flooding in. I'm having the same phenomenon occur...I don't know if its the ARP thing you are talking about, but all day long gkrellm has been showing around 2k on ethO (I too have a cable modem). Before last night, that never happened before. I'd see miniscule rates from time to time, for a moment, but never anywhere near 1k... peace, Rog
RE: [expert] Re: mysterious incoming packets
If you want to REALLY see what's going on, open an Xterm Window and fire up iptraf (which runs in text mode) as the root user. In it's configuration screen turn on PROMISCUOUS mode and Reverse DNS resolution. The go to IP Traffic Monitor for the interface connected to your Cable modem. You'll see the ARP requests at the bottom, while any other TCP traffic at top, including source and destinations... And I'm also seeing a slew of ARP requests today... Which is nominal for @home -JMS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Sherman Sent: Sunday, August 05, 2001 3:47 AM To: 'Glenn Johnson' Cc: Jose M. Sanchez; 'Brandon Caudle'; [EMAIL PROTECTED] Subject: Re: [expert] Re: mysterious incoming packets On Sun, 5 Aug 2001, 'Glenn Johnson' wrote: On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: It's unlikely that this is a problem given the relatively ARP low rate you are getting. A normal Cable modem node may have over 10,000 users. The head-end system has to update it's table of available (connected) IP's almost constantly. If you call the cable company, all you are going to get will be a yeah, well, this is normal. response... Well, that may be the case. The thing is though, it is not normal. I have had this cable modem service for about a year and this is the first time I have seen this behavior. Even today, this morning everything was normal (no activity) then at about noon CST the arp requests started flooding in. I'm having the same phenomenon occur...I don't know if its the ARP thing you are talking about, but all day long gkrellm has been showing around 2k on ethO (I too have a cable modem). Before last night, that never happened before. I'd see miniscule rates from time to time, for a moment, but never anywhere near 1k... peace, Rog
Re: [expert] Ext2 - ReiserFS ?
On Sun, 5 Aug 2001, Sevatio wrote: I'm considering a switch from Ext2 to ReiserFS or anything better than Ext2. Currently I'm LM8.0. What's your opinion on the stability of the Reiser File System? Is there an improvement for Ext2 on the horizon? What software would be best at converting the Ext2 partitions to ReiserFS? TIA, Sevatio Use ext3 - you can convert ext2 - ext3 without any pain. ___ Mvh./Yours sincerely Lars Lars Roland Kristiansen | Email:[EMAIL PROTECTED] Stud. Scient. Mathematics | TLF(home):39699914 - 116 Copenhagen University - | Home address: Bispebjerg parkalle Institute for Mathematical Sciences | 22 - 2400 københavn NV - room 116. Url: www.math.ku.dk | Politics is for the moment, equations are forever - Albert Einstein
Re: [expert] BASH
Can i make bash ask me - when i use rm -rf. remove the f ! if that doesn't work, try 'unalias rm' Thomas.
Re: [expert] BASH
Can i make bash ask me - when i use rm -rf. If you logon a shell, typically the shell will a file called, say, .bashrc, in your home directory. Most of the linux distribution alias rm to rm -i if the user is root. man rm you will see. Yours, Simon.
Re: [expert] Re: mysterious incoming packets
At 10:57 AM 08/05/2001 -0400, Pierre Fortin wrote: Glenn Johnson wrote: Why would these arp requests occur as a steady stream, all going to primarily one machine it looks like? This just started today. I usually see an occasional flash of the activity light on the cable modem but the activity light is almost burning steady now. Here is a snippet of output from tcpdump. This could be much worse...We get all kinds of arp, netbios, smb, and ipx / spx traffic on our nic from an entire campus network (something like 4-5,000 nodes). Some 100+ packets are seen on our nic every second. Since we never respond to the majority of these packets, it isn't a big deal and it is normal. Now if only they would get rid of the netbios traffic(which our IT group says accounts for between 40-50% of all network traffic) Michael -- Michael Viron Registered Linux User #81978 Senior Systems Administration Consultant Web Spinners, University of West Florida
Re: [expert] How to change IRQ number????
check if your bios can control the assigning of the IRQ ... some bioses can do that. --- X - A - W - K [EMAIL PROTECTED] wrote: Hi, I have LM 8.0 on my laptop and I have problems with PCMCIA card. It looks like sound card and PCMCIA card bus have the same IRQ numbre (according to the dmesg|more). I don't know if it is possible, but it looks like. System does recognize CardBus, but can't detect it o something like that So I would like to change it, I want to make work my PCMCIA. Does anybody know how to change IRQ numbres? I was trying command cardctl and it doesn't work, just because ther is no eth0 device... What shall I do??? Thanks for help. X - A - W - K -- Jest niezly ... i liscik napisze OnetKomunikator [ http://ok.onet.pl/instaluj.html ] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Re: [expert] Mouse locks up in KDE
hi Larry i have a similar problem when i first used mdk8... X hangs up as soon as its loaded... and the keyboard is hanged too. cant ctrl-alt-fX to any console. i have verified that even though X is hanged, i can still login thru the network and make a proper shutdown. i figured that on my system (dell machine) its having problems with keyboard and mouse using psaux... i used a serial mouse then rebooted ... viola! problem solved. i dont know if this is the same case as yours though ... dianne --- Larry Alkoff [EMAIL PROTECTED] wrote: When I click on an icon in KDE it locks up the pointer about 20% of the time. Since ctl-alt-bs or ctl-alt-del doesn't work at all I have to hit reset. It's pretty hard to get very far into an X session without having to hit reset. GPM is not installed on my machine. This is a new Mandrake 8.0 install on a AMD K2-500 system which ran Mandrake 7.2 flawlessly. Plenty of memory and disk - and the hardware never glitches. The mouse is a Logitech optical ps/2 mouse. My XF86Config-4 looks like this: # Pointer Section Section InputDevice Identifier Mouse1 Driver mouse OptionProtocol IMPS/2 Option Device /dev/psaux Option ZaxisMapping 4 5 # Option Emulate3Buttons # Option Emulate3Timeout 50 # Option ChordMiddle EndSection Any help or comments would be greatly appreciated. The system is substantially unusable right now except in console mode. Thanks, Larry Alkoff Larry Alkoff N2LA - Austin TX __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Re: [expert] Re: mysterious incoming packets
could this be really CODE RED in action? the worm scans the range of ips of an infected machine and verifies if there are MIIS lying around to conquer. i got a lot of those funny default.idaXXX something on my apache logs and they are coming from a variety of ip addresses ... of which when i try to check are either saying hacked by chinese or page under construction. well, just a thought --- Pierre Fortin [EMAIL PROTECTED] wrote: Glenn Johnson wrote: Why would these arp requests occur as a steady stream, all going to primarily one machine it looks like? This just started today. I usually see an occasional flash of the activity light on the cable modem but the activity light is almost burning steady now. Here is a snippet of output from tcpdump. 23:11:45.429645 arp who-has 24.158.211.28 tell 24.158.208.1 23:11:45.597693 arp who-has 24.158.211.128 tell 24.158.208.1 23:11:45.603525 arp who-has 24.158.209.52 tell 24.158.208.1 23:11:45.648017 arp who-has 24.158.213.195 tell 24.158.208.1 23:11:45.701103 arp who-has 24.158.213.186 tell 24.158.208.1 23:11:45.799656 arp who-has 24.158.208.6 tell 24.158.208.1 23:11:45.803653 arp who-has 24.158.208.213 tell 24.158.208.1 23:11:45.807188 arp who-has 24.158.213.2 tell 24.158.208.1 23:11:45.814144 arp who-has 24.158.211.254 tell 24.158.208.1 23:11:45.833711 arp who-has 24.158.213.253 tell 24.158.208.1 23:11:45.856152 arp who-has 24.158.210.61 tell 24.158.208.1 23:11:45.906593 arp who-has 24.158.210.26 tell 24.158.208.1 23:11:45.943625 arp who-has 24.158.223.226 tell 24.158.223.129 23:11:45.949866 arp who-has 24.158.222.24 tell 24.158.222.1 23:11:45.966988 arp who-has 24.158.212.132 tell 24.158.208.1 23:11:46.052650 arp who-has 24.158.212.103 tell 24.158.208.1 23:11:46.065411 arp who-has 24.158.220.82 tell 24.158.220.1 23:11:46.156773 arp who-has 24.158.220.139 tell 24.158.220.1 23:11:46.164731 arp who-has 24.158.215.52 tell 24.158.208.1 23:11:46.169593 arp who-has 24.158.209.195 tell 24.158.208.1 It seems to me that there is some problem here. How would you suggest I approach the cable company with this information? This is not TO 24.158.208.1, rather FROM... this indicates that there is traffic coming from out there into your segment looking for the IPs in the left column... since there are no duplicates in that sample, it appears someone is scanning the range... but scanning with only one packet does nothing for the scanning host, it just fills the router's (24.158.208.1) arp cache... the router waits for the next packet... if it comes, and there's a cache entry, the scanner's packet will reach the target host (you?)... if it doesn't come, the cache will timeout and flush the entry eventually. If the scan cycle is longer than the ARP cache timeout, it's just a waste of bandwidth... Unless you see the next packet from the scanner, only the router knows the scanner's IP (likely forged) for the brief time it converts that packet into an ARP if there's no arp entry for the target host. If there is an entry, then you could see the scanner's IP. If one was to write an arpresponder (had one many years ago to overcome a network topology issue), it would cause havoc on this type of network... unless you can also see the unicast ARP replies, you can't tell if the host really exists from your vantage point. If you send an ARP reply for the ARPed for host, one of two things will happen... 1. you respond first; no problem, since the last ARP reply seen is used. 2. you respond later; you own the IP address (unless someone else also steals it or the real target is really slow to respond... Trying to steal IPs this way is a crap shoot trying to get in last and before the first real data packet which quickly follows... HTH, Pierre PS: Sorry I've been quiet lately... lots of personal issues... __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Re: [expert] PCI IRQ conflict?
what is the output of cat /proc/pci (without the quotes) that might give us a little more info... might be USB? On Friday 03 August 2001 07:44, George Petri wrote: Hello! I am using Mandrake 7.2 After I compiled a 2.4.4 kernel (not from Mandrake, but the official one), I get this message, at the console (CTRL+ALT+F1) a short while after X has loaded: PCI: Found IRQ 9 for device 00:0c.0 PCI: The same IRQ used for device 00:0e.0 lspci shows: 00:00.0 Host bridge: Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge (rev 03) 00:01.0 PCI bridge: Intel Corporation 440BX/ZX - 82443BX/ZX AGP bridge (rev 03) 00:07.0 ISA bridge: Intel Corporation 82371AB PIIX4 ISA (rev 02) 00:07.1 IDE interface: Intel Corporation 82371AB PIIX4 IDE (rev 01) 00:07.2 USB Controller: Intel Corporation 82371AB PIIX4 USB (rev 01) 00:07.3 Bridge: Intel Corporation 82371AB PIIX4 ACPI (rev 02) 00:0c.0 Multimedia audio controller: Ensoniq ES1371 [AudioPCI-97] (rev 04) 00:0d.0 Communication controller: Lucent Microelectronics WinModem 56k (rev 01) 00:0e.0 Ethernet controller: Macronix, Inc. [MXIC] MX987x5 (rev 25) 01:00.0 VGA compatible controller: NVidia / SGS Thomson (Joint Venture) Riva128 (rev 22) I am using a Pentium II-based motherboard. Is this IRQ conflict bad because both my sound card and Ethernet card (kernel module: tulip) work alright? Actually, come to think of it, my 100 MBit Ethernet Card (a cheap US$15 Skymaster) in both Windows and Linux has only been achieving 200KB/s. Could it be due to this IRQ conflict? How do I fix this? All help is appreciated! Thanks, George
Re: [expert] Re: mysterious incoming packets
DM wrote: could this be really CODE RED in action? the worm scans the range of ips of an infected machine and verifies if there are MIIS lying around to conquer. i got a lot of those funny default.idaXXX something on my apache logs and they are coming from a variety of ip addresses ... of which when i try to check are either saying hacked by chinese or page under construction. well, just a thought --- Pierre Fortin [EMAIL PROTECTED] wrote: I've noticed those too and with everything else going on in my life right now, had not associated them to CODE RED... Since the addresses are obviously bogus, and no dups, there is not much chance of finding the perp yet... but I did add: default.ida: You're starting to irritate me...! Go away in all my virtual hosts... no need to add html codes... I know it probably doesn't help anything; but I'm hoping the perp gets an unexpected response and stops probing... I thought about returning a HUGE file of ASCII chars; but that would just hose my uplink sending to innocent or non-existant hosts since the return IPs are bogus... Not sure what these packets are really trying to do (haven't read the CODE RED bio); but all the packets are different in the area that could be code. Pierre
Re: [expert] How to change IRQ number????
It looks like bios doesn' control assigning of irqs. At least there is no any option to do it. - Original Message - From: DM [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 05, 2001 11:08 AM Subject: Re: [expert] How to change IRQ number check if your bios can control the assigning of the IRQ ... some bioses can do that. --- X - A - W - K [EMAIL PROTECTED] wrote: Hi, I have LM 8.0 on my laptop and I have problems with PCMCIA card. It looks like sound card and PCMCIA card bus have the same IRQ numbre (according to the dmesg|more). I don't know if it is possible, but it looks like. System does recognize CardBus, but can't detect it o something like that So I would like to change it, I want to make work my PCMCIA. Does anybody know how to change IRQ numbres? I was trying command cardctl and it doesn't work, just because ther is no eth0 device... What shall I do??? Thanks for help. X - A - W - K -- Jest niezly ... i liscik napisze OnetKomunikator [ http://ok.onet.pl/instaluj.html ] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- Jest niezly ... i liscik napisze OnetKomunikator [ http://ok.onet.pl/instaluj.html ]
[expert] MDK80 on Pentium 200 MMX WITH USB CARD
Hi, I have installed successfully MDK80 on Pentium 200MMX I was thinking to use USB and so inserted a card in the system ( VIA Chipset ) But sometimes it locks completely the system with original kernel distribution 2.4.3 e 2.2.19 .. it was hard to discover until I take out the USB Card Pierfrancesco Tateo
Re: [expert] Re: mysterious incoming packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 05 August 2001 11:20, DM wrote: could this be really CODE RED in action? the worm scans the range of ips of an infected machine and verifies if there are MIIS lying around to conquer. i got a lot of those funny default.idaXXX something on my apache logs and they are coming from a variety of ip addresses ... of which when i try to check are either saying hacked by chinese or page under construction. So that's what all those /default.ida? and /default.ida? entries in my access_log are... - -- ++ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA http://ronandheather.dhs.org | || | Our computers and their computers are the same color. The | | conversion should be no problem! | |Unknown | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7bYovjTz5dS9Us5wRAoeiAJ9i5JdBXEsyPIC3v8fmtOc7CIR2JgCfZ9Y0 eUlWtR4o7C9SSTUy7apOQOw= =fdFt -END PGP SIGNATURE-
Re: [expert] Ext2 - ReiserFS ?
--- Lars Roland Kristiansen [EMAIL PROTECTED] wrote: On Sun, 5 Aug 2001, Sevatio wrote: I'm considering a switch from Ext2 to ReiserFS or anything better than Ext2. Currently I'm LM8.0. What's your opinion on the stability of the Reiser File System? Is there an improvement for Ext2 on the horizon? Have a look at this page and decide by yourself http://aurora.zemris.fer.hr/filesystems/small.html What software would be best at converting the Ext2 partitions to ReiserFS? TIA, Sevatio Use ext3 - you can convert ext2 - ext3 without any pain. ___ Mvh./Yours sincerely Lars Lars Roland Kristiansen | Email: [EMAIL PROTECTED] Stud. Scient. Mathematics | TLF(home): 39699914 - 116 Copenhagen University - | Home address: Bispebjerg parkalle Institute for Mathematical Sciences | 22 - 2400 københavn NV - room 116. Url: www.math.ku.dk | Politics is for the moment, equations are forever - Albert Einstein = S.KIEU _ http://messenger.yahoo.com.au - Yahoo! Messenger - Voice chat, mail alerts, stock quotes and favourite news and lots more!
Re: [expert] Lightweight window managers
I use FVWM2, and have for quite a few years now. I tried the more recent versions of KDE and Gnome, and have tried Afterstep, Icewm, XFCE, Qvwm, and a few others, but have gone back to fvwm. Fvwm2 is now on version 2.4, and I find it very configurable. I can do whatever I want with it, and can make it look any way I like. Unfortunately, Mandrake chose not to include it with 8.0. And the version they do have available is stuck at Fvwm 2.2. However, the 2.4 edition is available via the Fvwm web site. Brian Schroeder I'd like to get the recommendations of the experts for a ranking of lightweight window managers you've used, with any opinions you'd like to share - i.e., So-and-so wm is really light, but it's just too damn inconvenient, or hard or the eyes, or isn't really light, or doesn't release memory properly, etc. Thanks, Edmund _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
[expert] Mandrake Control Center broken
I am having trouble with the Mandrake Control Center, it is not affecting the changes I am making. I had to reinstall LM8.0 freq2 after a few problems. Now I am finding that I cannot set my mouse correctly, I set it to a wheel mouse in MCC and edit the XFConfig-4 file for a wheel mouse, restart KDE and it is back to where I started. I tried again, select wheel mouse in MCC, switch to something else and then go back, it is set back to generic. Also, I am running a dual boot with Win XP. It does not work with LILO but does with GRUB. I cannot switch to GRUB in MCC. It says LILO regardless of what I do. Both of these were working fine before I had to reinstall. Questions: Can I set these things manually ? Also, what can I do to fix MCC, I don't know what package it is to try a reinstall. Thanks, Chuck
[expert] BASH
Can i make bash ask me - when i use rm -rf. ___ Mvh./Yours sincerely Lars Lars Roland Kristiansen | Email:[EMAIL PROTECTED] Stud. Scient. Mathematics | TLF(home):39699914 - 116 Copenhagen University - | Home address: Bispebjerg parkalle Institute for Mathematical Sciences | 22 - 2400 københavn NV - room 116. Url: www.math.ku.dk | Politics is for the moment, equations are forever - Albert Einstein
Re: [expert] Re: mysterious incoming packets
Glenn Johnson wrote: Why would these arp requests occur as a steady stream, all going to primarily one machine it looks like? This just started today. I usually see an occasional flash of the activity light on the cable modem but the activity light is almost burning steady now. Here is a snippet of output from tcpdump. 23:11:45.429645 arp who-has 24.158.211.28 tell 24.158.208.1 23:11:45.597693 arp who-has 24.158.211.128 tell 24.158.208.1 23:11:45.603525 arp who-has 24.158.209.52 tell 24.158.208.1 23:11:45.648017 arp who-has 24.158.213.195 tell 24.158.208.1 23:11:45.701103 arp who-has 24.158.213.186 tell 24.158.208.1 23:11:45.799656 arp who-has 24.158.208.6 tell 24.158.208.1 23:11:45.803653 arp who-has 24.158.208.213 tell 24.158.208.1 23:11:45.807188 arp who-has 24.158.213.2 tell 24.158.208.1 23:11:45.814144 arp who-has 24.158.211.254 tell 24.158.208.1 23:11:45.833711 arp who-has 24.158.213.253 tell 24.158.208.1 23:11:45.856152 arp who-has 24.158.210.61 tell 24.158.208.1 23:11:45.906593 arp who-has 24.158.210.26 tell 24.158.208.1 23:11:45.943625 arp who-has 24.158.223.226 tell 24.158.223.129 23:11:45.949866 arp who-has 24.158.222.24 tell 24.158.222.1 23:11:45.966988 arp who-has 24.158.212.132 tell 24.158.208.1 23:11:46.052650 arp who-has 24.158.212.103 tell 24.158.208.1 23:11:46.065411 arp who-has 24.158.220.82 tell 24.158.220.1 23:11:46.156773 arp who-has 24.158.220.139 tell 24.158.220.1 23:11:46.164731 arp who-has 24.158.215.52 tell 24.158.208.1 23:11:46.169593 arp who-has 24.158.209.195 tell 24.158.208.1 It seems to me that there is some problem here. How would you suggest I approach the cable company with this information? This is not TO 24.158.208.1, rather FROM... this indicates that there is traffic coming from out there into your segment looking for the IPs in the left column... since there are no duplicates in that sample, it appears someone is scanning the range... but scanning with only one packet does nothing for the scanning host, it just fills the router's (24.158.208.1) arp cache... the router waits for the next packet... if it comes, and there's a cache entry, the scanner's packet will reach the target host (you?)... if it doesn't come, the cache will timeout and flush the entry eventually. If the scan cycle is longer than the ARP cache timeout, it's just a waste of bandwidth... Unless you see the next packet from the scanner, only the router knows the scanner's IP (likely forged) for the brief time it converts that packet into an ARP if there's no arp entry for the target host. If there is an entry, then you could see the scanner's IP. If one was to write an arpresponder (had one many years ago to overcome a network topology issue), it would cause havoc on this type of network... unless you can also see the unicast ARP replies, you can't tell if the host really exists from your vantage point. If you send an ARP reply for the ARPed for host, one of two things will happen... 1. you respond first; no problem, since the last ARP reply seen is used. 2. you respond later; you own the IP address (unless someone else also steals it or the real target is really slow to respond... Trying to steal IPs this way is a crap shoot trying to get in last and before the first real data packet which quickly follows... HTH, Pierre PS: Sorry I've been quiet lately... lots of personal issues...
[expert] How to change IRQ number????
Hi, I have LM 8.0 on my laptop and I have problems with PCMCIA card. It looks like sound card and PCMCIA card bus have the same IRQ numbre (according to the dmesg|more). I don't know if it is possible, but it looks like. System does recognize CardBus, but can't detect it o something like that So I would like to change it, I want to make work my PCMCIA. Does anybody know how to change IRQ numbres? I was trying command cardctl and it doesn't work, just because ther is no eth0 device... What shall I do??? Thanks for help. X - A - W - K -- Jest niezly ... i liscik napisze OnetKomunikator [ http://ok.onet.pl/instaluj.html ]
[expert] Mouse locks up in KDE
When I click on an icon in KDE it locks up the pointer about 20% of the time. Since ctl-alt-bs or ctl-alt-del doesn't work at all I have to hit reset. It's pretty hard to get very far into an X session without having to hit reset. GPM is not installed on my machine. This is a new Mandrake 8.0 install on a AMD K2-500 system which ran Mandrake 7.2 flawlessly. Plenty of memory and disk - and the hardware never glitches. The mouse is a Logitech optical ps/2 mouse. My XF86Config-4 looks like this: # Pointer Section Section InputDevice Identifier Mouse1 Driver mouse OptionProtocol IMPS/2 Option Device /dev/psaux Option ZaxisMapping 4 5 # Option Emulate3Buttons # Option Emulate3Timeout 50 # Option ChordMiddle EndSection Any help or comments would be greatly appreciated. The system is substantially unusable right now except in console mode. Thanks, Larry Alkoff Larry Alkoff N2LA - Austin TX
