From owner-freebsd-security Sat Apr 27 5: 1:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx.agni.com (mx.agni.com [202.53.160.4]) by hub.freebsd.org (Postfix) with ESMTP id 7995437B404 for ; Sat, 27 Apr 2002 05:01:25 -0700 (PDT) Received: from venus.agni.com (venus.agni.com [202.53.160.200]) by mx.agni.com (8.12.1/8.12.1) with ESMTP id g3RC1FhX024853 for ; Sat, 27 Apr 2002 18:01:15 +0600 Received: (from mojahed@localhost) by venus.agni.com (8.11.6/8.11.6) id g3RC46D91162 for freebsd-security@FreeBSD.ORG; Sat, 27 Apr 2002 18:04:06 +0600 (BDT) (envelope-from mojahed) Date: Sat, 27 Apr 2002 18:04:06 +0600 From: Mojahedul Hoque Abul Hasanat To: freebsd-security@FreeBSD.ORG Subject: ARP queries with target hardware address set Message-ID: <20020427180406.A91046@venus.agni.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Scanned-By: MIMEDefang 2.2 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please excuse me if this is a naive question. When running tcpdump I see that some of the arp queries have their target hardware addresses set to random MACs. AFAIK an arp query should have its target hardware address set to all zeros. Here is an example from the output of "tcpdump -e ...": 0:e0:7d:a1:8:75 Broadcast arp 60: arp who-has 202.168.255.85 (68:74:2e:4d:20:74) tell a.host.ip.address The MAC inside the parenthesis was never in my LAN. Almost all the boxes in the LAN are 4.5-STABLE. The box making these queries runs bind 8.3.1-REL. Suspiciously, this box also makes a lot of arp queries for IPs not in its LAN. Any ideas on the source of these arps? -- Mojahed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message