[Dshield] Anyone seen

Jon R. Kibler Jon.Kibler at aset.com
Tue Feb 24 23:00:06 GMT 2004

Daugherty Bryan wrote:
> I started seeing ARP broadcast (from various IPs on my network) last week
> using ethereal.

ARP packets (and RARP packets) can only occur on your local Ethernet LAN segment. They are not routable on the Internet. 

To communicate on Ethernet, systems do not actually directly use the IP address of the destination system. Rather, they use the 48-bit Media Access Control (MAC) address to determine the destination (with the destination being an individual port on a NIC). ARP and RARP packets serve to translate between IP and MAC addresses. An ARP request says "I need to know the MAC address for IP x.x.x.x." and an RARP request says "My MAC address is xx:xx:xx:xx:xx:xx -- who knows what my IP address should be?".

In the for-what-it-is-worth category, the BOOTP (Boot Protocol -- used for remote booting) is a superset of RARP, and the DHCP protocol is a superset of RARP but a subset of BOOTP.

So, bottom line, ARP packets just indicate that a system is wanting to communicate with another system on your LAN with whom the ARP-ing system has not previously communicated (or, at least not within the lifetime of its ARP cache).

Also, the fact that you are seeing a lot of ARP packets is a MAJOR RED FLAG of another problem -- you are using shared Ethernet -- which is a MAJOR security risk. You really should replace all of your hubs with switches -- or, at least in the future, only buy switches. 

With a switch, the only traffic a given port can see is traffic specifically to that port. That means that you can only see traffic to the IP address(es) of that port, Multicast traffic, and Broadcast traffic. No more snooping on everything else that occurs on the network!

Hope this helps!
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list