[Dshield] Anyone seen

Jeff Kell jeff-kell at utc.edu
Wed Feb 25 04:57:57 GMT 2004


Jon R. Kibler wrote:

>> I started seeing ARP broadcast (from various IPs on my network)
>> last week using ethereal.

> Also, the fact that you are seeing a lot of ARP packets is a MAJOR
> RED FLAG of another problem -- you are using shared Ethernet -- which
> is a MAJOR security risk. You really should replace all of your hubs
> with switches -- or, at least in the future, only buy switches.

Not so fast.  Initial ARPs are broadcast (ff-ff-ff-ff-ff-ff) and will go 
to every host, even on a switch.  A switch or router may proxy a reply, 
but it is perfectly normal to hear broadcast ARPs.

Now if you receive *unicast* ARPs, or unsolicited unicast ARP replies, 
somebody on your segment is probably running ettercap or dsniff.

Jeff




More information about the list mailing list