[Dshield] Anyone seen
jeff-kell at utc.edu
Wed Feb 25 04:57:57 GMT 2004
Jon R. Kibler wrote:
>> I started seeing ARP broadcast (from various IPs on my network)
>> last week using ethereal.
> Also, the fact that you are seeing a lot of ARP packets is a MAJOR
> RED FLAG of another problem -- you are using shared Ethernet -- which
> is a MAJOR security risk. You really should replace all of your hubs
> with switches -- or, at least in the future, only buy switches.
Not so fast. Initial ARPs are broadcast (ff-ff-ff-ff-ff-ff) and will go
to every host, even on a switch. A switch or router may proxy a reply,
but it is perfectly normal to hear broadcast ARPs.
Now if you receive *unicast* ARPs, or unsolicited unicast ARP replies,
somebody on your segment is probably running ettercap or dsniff.
More information about the list