RE: [expert] Re: mysterious incoming packets
On Sun, 5 Aug 2001, Jose M. Sanchez wrote: > If you want to "REALLY" see what's going on, open an Xterm Window and > fire up "iptraf" (which runs in text mode) as the root user. > > In it's configuration screen turn on PROMISCUOUS mode and Reverse DNS > resolution. > > The go to IP Traffic Monitor for the interface connected to your Cable > modem. > > You'll see the ARP requests at the bottom, while any other TCP traffic > at top, including source and destinations... > > And I'm also seeing a slew of ARP requests today... Which is nominal for > @home > Yeah, ever since this all started, I have a constant 2+k activity on eth0, still, and according to iptraf, they are virtually all ARP requests...as well, my apache log shows constant hacking attempts. Is this all code red generated activity, and if so, anyone have any idea how long it'll last? peace, Rog
Re: [expert] Re: mysterious incoming packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 05 August 2001 11:20, DM wrote: > could this be really CODE RED in action? the worm > scans the range of ips of an infected machine and > verifies if there are MIIS lying around to conquer. i > got a lot of those funny default.idaXXX something > on my apache logs and they are coming from a variety > of ip addresses ... of which when i try to check are > either saying "hacked by chinese" or "page under > construction". So that's what all those "/default.ida?" and "/default.ida?" entries in my access_log are... - -- ++ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA http://ronandheather.dhs.org | || | "Our computers and their computers are the same color. The | | conversion should be no problem!" | |Unknown | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7bYovjTz5dS9Us5wRAoeiAJ9i5JdBXEsyPIC3v8fmtOc7CIR2JgCfZ9Y0 eUlWtR4o7C9SSTUy7apOQOw= =fdFt -END PGP SIGNATURE-
Re: [expert] Re: mysterious incoming packets
DM wrote: > > could this be really CODE RED in action? the worm > scans the range of ips of an infected machine and > verifies if there are MIIS lying around to conquer. i > got a lot of those funny default.idaXXX something > on my apache logs and they are coming from a variety > of ip addresses ... of which when i try to check are > either saying "hacked by chinese" or "page under > construction". > > well, just a thought > > --- Pierre Fortin <[EMAIL PROTECTED]> wrote: I've noticed those too and with everything else going on in my life right now, had not associated them to CODE RED... Since the addresses are obviously bogus, and no dups, there is not much chance of finding the perp yet... but I did add: default.ida: You're starting to irritate me...! Go away in all my virtual hosts... no need to add html codes... I know it probably doesn't help anything; but I'm hoping the perp gets an unexpected response and stops probing... I thought about returning a HUGE file of ASCII chars; but that would just hose my uplink sending to innocent or non-existant hosts since the return IPs are bogus... Not sure what these packets are really trying to do (haven't read the CODE RED bio); but all the packets are different in the area that could be code. Pierre
Re: [expert] Re: mysterious incoming packets
could this be really CODE RED in action? the worm scans the range of ips of an infected machine and verifies if there are MIIS lying around to conquer. i got a lot of those funny default.idaXXX something on my apache logs and they are coming from a variety of ip addresses ... of which when i try to check are either saying "hacked by chinese" or "page under construction". well, just a thought --- Pierre Fortin <[EMAIL PROTECTED]> wrote: > Glenn Johnson wrote: > > > > Why would these arp requests occur as a steady > stream, all going to > > primarily one machine it looks like? This just > started today. I > > usually see an occasional flash of the activity > light on the cable modem > > but the activity light is almost burning steady > now. Here is a snippet > > of output from tcpdump. > > > > 23:11:45.429645 arp who-has 24.158.211.28 tell > 24.158.208.1 > > 23:11:45.597693 arp who-has 24.158.211.128 tell > 24.158.208.1 > > 23:11:45.603525 arp who-has 24.158.209.52 tell > 24.158.208.1 > > 23:11:45.648017 arp who-has 24.158.213.195 tell > 24.158.208.1 > > 23:11:45.701103 arp who-has 24.158.213.186 tell > 24.158.208.1 > > 23:11:45.799656 arp who-has 24.158.208.6 tell > 24.158.208.1 > > 23:11:45.803653 arp who-has 24.158.208.213 tell > 24.158.208.1 > > 23:11:45.807188 arp who-has 24.158.213.2 tell > 24.158.208.1 > > 23:11:45.814144 arp who-has 24.158.211.254 tell > 24.158.208.1 > > 23:11:45.833711 arp who-has 24.158.213.253 tell > 24.158.208.1 > > 23:11:45.856152 arp who-has 24.158.210.61 tell > 24.158.208.1 > > 23:11:45.906593 arp who-has 24.158.210.26 tell > 24.158.208.1 > > 23:11:45.943625 arp who-has 24.158.223.226 tell > 24.158.223.129 > > 23:11:45.949866 arp who-has 24.158.222.24 tell > 24.158.222.1 > > 23:11:45.966988 arp who-has 24.158.212.132 tell > 24.158.208.1 > > 23:11:46.052650 arp who-has 24.158.212.103 tell > 24.158.208.1 > > 23:11:46.065411 arp who-has 24.158.220.82 tell > 24.158.220.1 > > 23:11:46.156773 arp who-has 24.158.220.139 tell > 24.158.220.1 > > 23:11:46.164731 arp who-has 24.158.215.52 tell > 24.158.208.1 > > 23:11:46.169593 arp who-has 24.158.209.195 tell > 24.158.208.1 > > > > It seems to me that there is some problem here. > How would you suggest I > > approach the cable company with this information? > > This is not TO 24.158.208.1, rather FROM... this > indicates that there is > traffic coming from "out there" into your segment > looking for the IPs in the > left column... since there are no duplicates in > that sample, it appears someone > is scanning the range... but scanning with only one > packet does nothing for the > scanning host, it just fills the router's > (24.158.208.1) arp cache... the > router waits for the next packet... if it comes, > and there's a cache entry, the > scanner's packet will reach the target host > (you?)... if it doesn't come, the > cache will timeout and flush the entry eventually. > If the scan cycle is longer > than the ARP cache timeout, it's just a waste of > bandwidth... > > Unless you see the next packet from the scanner, > only the router knows the > scanner's IP (likely forged) for the brief time it > converts that packet into an > ARP if there's no arp entry for the target host. If > there is an entry, then you > could see the scanner's IP. > > If one was to write an arpresponder (had one many > years ago to overcome a > network topology issue), it would cause havoc on > this type of network... unless > you can also see the unicast ARP replies, you can't > tell if the host really > exists from your vantage point. If you send an ARP > reply for the ARPed for > host, one of two things will happen... > 1. you respond first; no problem, since the last ARP > reply seen is used. > 2. you respond later; you own the IP address (unless > someone else also steals it > or the real target is really slow to respond... > > Trying to steal IPs this way is a crap shoot trying > to get in last and before > the first real data packet which quickly follows... > > HTH, > Pierre > > PS: Sorry I've been quiet lately... lots of > personal issues... > > > __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Re: [expert] Re: mysterious incoming packets
At 10:57 AM 08/05/2001 -0400, Pierre Fortin wrote: >Glenn Johnson wrote: >> >> Why would these arp requests occur as a steady stream, all going to >> primarily one machine it looks like? This just started today. I >> usually see an occasional flash of the activity light on the cable modem >> but the activity light is almost burning steady now. Here is a snippet >> of output from tcpdump. This could be much worse...We get all kinds of arp, netbios, smb, and ipx / spx traffic on our nic from an entire campus network (something like 4-5,000 nodes). Some 100+ packets are "seen" on our nic every second. Since we never respond to the majority of these packets, it isn't a big deal and it is normal. Now if only they would get rid of the netbios traffic(which our IT group says accounts for between 40-50% of all network traffic) Michael -- Michael Viron Registered Linux User #81978 Senior Systems & Administration Consultant Web Spinners, University of West Florida
Re: [expert] Re: mysterious incoming packets
Glenn Johnson wrote: > > Why would these arp requests occur as a steady stream, all going to > primarily one machine it looks like? This just started today. I > usually see an occasional flash of the activity light on the cable modem > but the activity light is almost burning steady now. Here is a snippet > of output from tcpdump. > > 23:11:45.429645 arp who-has 24.158.211.28 tell 24.158.208.1 > 23:11:45.597693 arp who-has 24.158.211.128 tell 24.158.208.1 > 23:11:45.603525 arp who-has 24.158.209.52 tell 24.158.208.1 > 23:11:45.648017 arp who-has 24.158.213.195 tell 24.158.208.1 > 23:11:45.701103 arp who-has 24.158.213.186 tell 24.158.208.1 > 23:11:45.799656 arp who-has 24.158.208.6 tell 24.158.208.1 > 23:11:45.803653 arp who-has 24.158.208.213 tell 24.158.208.1 > 23:11:45.807188 arp who-has 24.158.213.2 tell 24.158.208.1 > 23:11:45.814144 arp who-has 24.158.211.254 tell 24.158.208.1 > 23:11:45.833711 arp who-has 24.158.213.253 tell 24.158.208.1 > 23:11:45.856152 arp who-has 24.158.210.61 tell 24.158.208.1 > 23:11:45.906593 arp who-has 24.158.210.26 tell 24.158.208.1 > 23:11:45.943625 arp who-has 24.158.223.226 tell 24.158.223.129 > 23:11:45.949866 arp who-has 24.158.222.24 tell 24.158.222.1 > 23:11:45.966988 arp who-has 24.158.212.132 tell 24.158.208.1 > 23:11:46.052650 arp who-has 24.158.212.103 tell 24.158.208.1 > 23:11:46.065411 arp who-has 24.158.220.82 tell 24.158.220.1 > 23:11:46.156773 arp who-has 24.158.220.139 tell 24.158.220.1 > 23:11:46.164731 arp who-has 24.158.215.52 tell 24.158.208.1 > 23:11:46.169593 arp who-has 24.158.209.195 tell 24.158.208.1 > > It seems to me that there is some problem here. How would you suggest I > approach the cable company with this information? This is not TO 24.158.208.1, rather FROM... this indicates that there is traffic coming from "out there" into your segment looking for the IPs in the left column... since there are no duplicates in that sample, it appears someone is scanning the range... but scanning with only one packet does nothing for the scanning host, it just fills the router's (24.158.208.1) arp cache... the router waits for the next packet... if it comes, and there's a cache entry, the scanner's packet will reach the target host (you?)... if it doesn't come, the cache will timeout and flush the entry eventually. If the scan cycle is longer than the ARP cache timeout, it's just a waste of bandwidth... Unless you see the next packet from the scanner, only the router knows the scanner's IP (likely forged) for the brief time it converts that packet into an ARP if there's no arp entry for the target host. If there is an entry, then you could see the scanner's IP. If one was to write an arpresponder (had one many years ago to overcome a network topology issue), it would cause havoc on this type of network... unless you can also see the unicast ARP replies, you can't tell if the host really exists from your vantage point. If you send an ARP reply for the ARPed for host, one of two things will happen... 1. you respond first; no problem, since the last ARP reply seen is used. 2. you respond later; you own the IP address (unless someone else also steals it or the real target is really slow to respond... Trying to steal IPs this way is a crap shoot trying to get in last and before the first real data packet which quickly follows... HTH, Pierre PS: Sorry I've been quiet lately... lots of personal issues...
RE: [expert] Re: mysterious incoming packets
If you want to "REALLY" see what's going on, open an Xterm Window and fire up "iptraf" (which runs in text mode) as the root user. In it's configuration screen turn on PROMISCUOUS mode and Reverse DNS resolution. The go to IP Traffic Monitor for the interface connected to your Cable modem. You'll see the ARP requests at the bottom, while any other TCP traffic at top, including source and destinations... And I'm also seeing a slew of ARP requests today... Which is nominal for @home -JMS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Sherman Sent: Sunday, August 05, 2001 3:47 AM To: 'Glenn Johnson' Cc: Jose M. Sanchez; 'Brandon Caudle'; [EMAIL PROTECTED] Subject: Re: [expert] Re: mysterious incoming packets On Sun, 5 Aug 2001, 'Glenn Johnson' wrote: > On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: > > > It's unlikely that this is a problem given the relatively ARP low > > rate you are getting. > > > > A normal Cable modem "node" may have over 10,000 users. > > > > The head-end system has to update it's table of available > > (connected) IP's almost constantly. > > > > If you call the cable company, all you are going to get will be a > > > > "yeah, well, this is normal." response... > > Well, that may be the case. The thing is though, it is not normal. I > have had this cable modem service for about a year and this is the > first time I have seen this behavior. Even today, this morning > everything was normal (no activity) then at about noon CST the arp > requests started flooding in. I'm having the same phenomenon occur...I don't know if its the ARP thing you are talking about, but all day long gkrellm has been showing around 2k on ethO (I too have a cable modem). Before last night, that never happened before. I'd see miniscule rates from time to time, for a moment, but never anywhere near 1k... > > peace, Rog
Re: [expert] Re: mysterious incoming packets
On Sun, 5 Aug 2001, 'Glenn Johnson' wrote: > On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: > > > It's unlikely that this is a problem given the relatively ARP low rate > > you are getting. > > > > A normal Cable modem "node" may have over 10,000 users. > > > > The head-end system has to update it's table of available (connected) > > IP's almost constantly. > > > > If you call the cable company, all you are going to get will be a > > > > "yeah, well, this is normal." response... > > Well, that may be the case. The thing is though, it is not normal. I > have had this cable modem service for about a year and this is the first > time I have seen this behavior. Even today, this morning everything was > normal (no activity) then at about noon CST the arp requests started > flooding in. I'm having the same phenomenon occur...I don't know if its the ARP thing you are talking about, but all day long gkrellm has been showing around 2k on ethO (I too have a cable modem). Before last night, that never happened before. I'd see miniscule rates from time to time, for a moment, but never anywhere near 1k... > > peace, Rog
Re: [expert] Re: mysterious incoming packets
Here are some articles Cable modems transmitting Ethernet broadcast packets to every subscriber on the neighborhood are a significant vulnerability, easily exploited by a technically savvy attacker. For example, using a freely available program called "arpwatch," I can scan for the ARP packets and detect how many subscribers are on my cable segment. Since MediaOne has assigned host names that look a lot like user names (e.g. sjones.ne.mediaone.net), I can learn the names of my cyber-neighbors. I can also learn when the ARP packets are sent, and establish when my neighbors are using their computers -- and when they are at work. The ARP problem, meanwhile, will be solved by the next-generation cable modems that implement the so-called DOCSIS 1.1 protocol. Instead of broadcasting ARP packets over the entire cable segment, DOCSIS 1.1 makes sure that each customer will only see the ARP messages intended for his or her machine. As an added protection, DOCSIS 1.1 is capable of encrypting all information sent over the cable itself, with a separate encryption key for each customer. This security measure prevents an attacker from splicing their own cable modem into the backbone, the way that some people used to hook up unauthorized cable decoders to get free cable TV service A third issue with large bridging networks concerns security and what is known as Address Resolution Protocol, or ARP. In a bridging network, a broadcast is issued to every user-perhaps thousands-to locate a particular address. But perhaps another user chooses to write a simple program that listens for broadcast requests and erroneously replies that it is the intended recipient. This "hacker" can continue to intercept Bob's messages as long as he or she wishes, and nothing in the network will automatically prevent it. Brandon Caudle -- 15yr Old Avid Unix User (HP-UX,FreeBSD,Linux) >From: "'Glenn Johnson'" <[EMAIL PROTECTED]> >To: "Jose M. Sanchez" <[EMAIL PROTECTED]> >CC: "'Brandon Caudle'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: Re: [expert] Re: mysterious incoming packets >Date: Sun, 5 Aug 2001 00:33:11 -0500 > >On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: > > > It's unlikely that this is a problem given the relatively ARP low rate > > you are getting. > > > > A normal Cable modem "node" may have over 10,000 users. > > > > The head-end system has to update it's table of available (connected) > > IP's almost constantly. > > > > If you call the cable company, all you are going to get will be a > > > > "yeah, well, this is normal." response... > >Well, that may be the case. The thing is though, it is not normal. I >have had this cable modem service for about a year and this is the first >time I have seen this behavior. Even today, this morning everything was >normal (no activity) then at about noon CST the arp requests started >flooding in. > >-- >Glenn Johnson >[EMAIL PROTECTED] > _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Re: [expert] Re: mysterious incoming packets
I am on the @home network and have been receiving this same activity all day since around 2pm MST. I imagine they (@home) is haveing some type of internal problem. My activity light has been glowing the same as yours. I wouldn't worry about it. I John
RE: [expert] Re: mysterious incoming packets
I've found that if one of the DHCP servers at the head end is unable to find a route to other nodes it's expecting, an ARP flood will occur (at least with @home and other providers) as the routers try to figure out where everyone is. Since they don't receive the expected response, they keep retransmitting until the problem is fixed. Normally this tells me that the upstream connection is screwed up and not to expect ANY successful connections to the internet outside of my ISP. It may be that they have a somewhat localized problem that is not fully impacting you. I'd not worry too much about it. While annoying (I wish you could see the traffic on mine!) it doesn't really affect your throughput, as your machine will only respond if it is getting a REAL arp request to it. You could filter these out, but why bother? You computer doesn't answer anyway. -JMS -Original Message- From: 'Glenn Johnson' [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 05, 2001 1:33 AM To: Jose M. Sanchez Cc: 'Brandon Caudle'; [EMAIL PROTECTED] Subject: Re: [expert] Re: mysterious incoming packets On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: > It's unlikely that this is a problem given the relatively ARP low rate > you are getting. > > A normal Cable modem "node" may have over 10,000 users. > > The head-end system has to update it's table of available (connected) > IP's almost constantly. > > If you call the cable company, all you are going to get will be a > > "yeah, well, this is normal." response... Well, that may be the case. The thing is though, it is not normal. I have had this cable modem service for about a year and this is the first time I have seen this behavior. Even today, this morning everything was normal (no activity) then at about noon CST the arp requests started flooding in. -- Glenn Johnson [EMAIL PROTECTED]
Re: [expert] Re: mysterious incoming packets
On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote: > It's unlikely that this is a problem given the relatively ARP low rate > you are getting. > > A normal Cable modem "node" may have over 10,000 users. > > The head-end system has to update it's table of available (connected) > IP's almost constantly. > > If you call the cable company, all you are going to get will be a > > "yeah, well, this is normal." response... Well, that may be the case. The thing is though, it is not normal. I have had this cable modem service for about a year and this is the first time I have seen this behavior. Even today, this morning everything was normal (no activity) then at about noon CST the arp requests started flooding in. -- Glenn Johnson [EMAIL PROTECTED]
RE: [expert] Re: mysterious incoming packets
It's unlikely that this is a problem given the relatively ARP low rate you are getting. A normal Cable modem "node" may have over 10,000 users. The head-end system has to update it's table of available (connected) IP's almost constantly. If you call the cable company, all you are going to get will be a "yeah, well, this is normal." response... -JMS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Glenn Johnson Sent: Sunday, August 05, 2001 12:21 AM To: Brandon Caudle Cc: [EMAIL PROTECTED] Subject: Re: [expert] Re: mysterious incoming packets On Sat, Aug 04, 2001 at 08:18:05PM -0400, Brandon Caudle wrote: > before you start to bug your cable company about arp packets you > should know what they do. > > An ARP reply packet contains the hardware and protocol address of the > machine being booted so that other machines can record its address > resolution for future use. > > I have this same issue but I have a dsl and a local network I unpluged > the dsl from the linksys router and the arp packets were still being > brocast so no worry if you have a local lan. Why would these arp requests occur as a steady stream, all going to primarily one machine it looks like? This just started today. I usually see an occasional flash of the activity light on the cable modem but the activity light is almost burning steady now. Here is a snippet of output from tcpdump. 23:11:45.429645 arp who-has 24.158.211.28 tell 24.158.208.1 23:11:45.597693 arp who-has 24.158.211.128 tell 24.158.208.1 23:11:45.603525 arp who-has 24.158.209.52 tell 24.158.208.1 23:11:45.648017 arp who-has 24.158.213.195 tell 24.158.208.1 23:11:45.701103 arp who-has 24.158.213.186 tell 24.158.208.1 23:11:45.799656 arp who-has 24.158.208.6 tell 24.158.208.1 23:11:45.803653 arp who-has 24.158.208.213 tell 24.158.208.1 23:11:45.807188 arp who-has 24.158.213.2 tell 24.158.208.1 23:11:45.814144 arp who-has 24.158.211.254 tell 24.158.208.1 23:11:45.833711 arp who-has 24.158.213.253 tell 24.158.208.1 23:11:45.856152 arp who-has 24.158.210.61 tell 24.158.208.1 23:11:45.906593 arp who-has 24.158.210.26 tell 24.158.208.1 23:11:45.943625 arp who-has 24.158.223.226 tell 24.158.223.129 23:11:45.949866 arp who-has 24.158.222.24 tell 24.158.222.1 23:11:45.966988 arp who-has 24.158.212.132 tell 24.158.208.1 23:11:46.052650 arp who-has 24.158.212.103 tell 24.158.208.1 23:11:46.065411 arp who-has 24.158.220.82 tell 24.158.220.1 23:11:46.156773 arp who-has 24.158.220.139 tell 24.158.220.1 23:11:46.164731 arp who-has 24.158.215.52 tell 24.158.208.1 23:11:46.169593 arp who-has 24.158.209.195 tell 24.158.208.1 It seems to me that there is some problem here. How would you suggest I approach the cable company with this information?
Re: [expert] Re: mysterious incoming packets
On Sat, Aug 04, 2001 at 08:18:05PM -0400, Brandon Caudle wrote: > before you start to bug your cable company about arp packets you > should know what they do. > > An ARP reply packet contains the hardware and protocol address of the > machine being booted so that other machines can record its address > resolution for future use. > > I have this same issue but I have a dsl and a local network I unpluged > the dsl from the linksys router and the arp packets were still being > brocast so no worry if you have a local lan. Why would these arp requests occur as a steady stream, all going to primarily one machine it looks like? This just started today. I usually see an occasional flash of the activity light on the cable modem but the activity light is almost burning steady now. Here is a snippet of output from tcpdump. 23:11:45.429645 arp who-has 24.158.211.28 tell 24.158.208.1 23:11:45.597693 arp who-has 24.158.211.128 tell 24.158.208.1 23:11:45.603525 arp who-has 24.158.209.52 tell 24.158.208.1 23:11:45.648017 arp who-has 24.158.213.195 tell 24.158.208.1 23:11:45.701103 arp who-has 24.158.213.186 tell 24.158.208.1 23:11:45.799656 arp who-has 24.158.208.6 tell 24.158.208.1 23:11:45.803653 arp who-has 24.158.208.213 tell 24.158.208.1 23:11:45.807188 arp who-has 24.158.213.2 tell 24.158.208.1 23:11:45.814144 arp who-has 24.158.211.254 tell 24.158.208.1 23:11:45.833711 arp who-has 24.158.213.253 tell 24.158.208.1 23:11:45.856152 arp who-has 24.158.210.61 tell 24.158.208.1 23:11:45.906593 arp who-has 24.158.210.26 tell 24.158.208.1 23:11:45.943625 arp who-has 24.158.223.226 tell 24.158.223.129 23:11:45.949866 arp who-has 24.158.222.24 tell 24.158.222.1 23:11:45.966988 arp who-has 24.158.212.132 tell 24.158.208.1 23:11:46.052650 arp who-has 24.158.212.103 tell 24.158.208.1 23:11:46.065411 arp who-has 24.158.220.82 tell 24.158.220.1 23:11:46.156773 arp who-has 24.158.220.139 tell 24.158.220.1 23:11:46.164731 arp who-has 24.158.215.52 tell 24.158.208.1 23:11:46.169593 arp who-has 24.158.209.195 tell 24.158.208.1 It seems to me that there is some problem here. How would you suggest I approach the cable company with this information? > >From: Glenn Johnson <[EMAIL PROTECTED]> > >To: Mandrake Expert <[EMAIL PROTECTED]> > >Subject: [expert] Re: mysterious incoming packets > >Date: Sat, 4 Aug 2001 16:43:45 -0500 > > > >On Sat, Aug 04, 2001 at 04:24:30PM -0500, Glenn Johnson wrote: > > > > > I have Mandrake 8.0 with the bastille firewall set up. Today, I > > > noticed that I have a pretty steady stream of incoming packets > > > coming across the interface that is plugged into the cable modem, > > > although I am not doing anything on the Internet. According > > > to gkrellm, it is about 1.0-1.2KBps. The activity light on my > > > cable modem is blinking pretty steadily although there is no > > > traffic initiated by me. Could someone help me diagnose where > > > this traffic is coming from? > > > >I installed tcpdump and used that to monitor the interface. I am > >getting a steady stream of arp requests. I do not remember ever > >seeing this before. Is this something I need to bug the cable > >company about? -- Glenn Johnson [EMAIL PROTECTED]
Re: [expert] Re: mysterious incoming packets
before you start to bug your cable company about arp packets you should know what they do. An ARP reply packet contains the hardware and protocol address of the machine being booted so that other machines can record its address resolution for future use. I have this same issue but I have a dsl and a local network I unpluged the dsl from the linksys router and the arp packets were still being brocast so no worry if you have a local lan. Brandon Caudle -- 15yr Old Avid Unix User (HP-UX,FreeBSD,Linux) >From: Glenn Johnson <[EMAIL PROTECTED]> >To: Mandrake Expert <[EMAIL PROTECTED]> >Subject: [expert] Re: mysterious incoming packets >Date: Sat, 4 Aug 2001 16:43:45 -0500 > >On Sat, Aug 04, 2001 at 04:24:30PM -0500, Glenn Johnson wrote: > > > I have Mandrake 8.0 with the bastille firewall set up. Today, I > > noticed that I have a pretty steady stream of incoming packets coming > > across the interface that is plugged into the cable modem, although I > > am not doing anything on the Internet. According to gkrellm, it is > > about 1.0-1.2KBps. The activity light on my cable modem is blinking > > pretty steadily although there is no traffic initiated by me. Could > > someone help me diagnose where this traffic is coming from? > >I installed tcpdump and used that to monitor the interface. I am >getting a steady stream of arp requests. I do not remember ever seeing >this before. Is this something I need to bug the cable company about? > >Thanks. > >-- >Glenn Johnson >[EMAIL PROTECTED] > _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp