Date: Sun, 28 Apr 2002 09:59:16 +0600 From: Mojahedul Hoque Abul Hasanat <mojahed@agni.com> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ARP queries with target hardware address set Message-ID: <20020428095916.F94650@venus.agni.com> In-Reply-To: <20020427165708.B37618@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Sat, Apr 27, 2002 at 04:57:08PM -0700 References: <20020427180406.A91046@venus.agni.com> <20020427165708.B37618@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 27, 2002 at 04:57:08PM -0700, Crist J. Clark wrote: > > should have its target hardware address set to all zeros. > > Can you quote some standard or RFC that states this? AFA_I_K, the > target hardware address field is undefined. It can just as well be > random junk as all zeros. RFC 826 just says, Oops! my fault. I shouldn't have said "should have its target HA set to all zeros". But this is the general case, isn't it? All the arp queries I can see in this LAN have their THA set to zeros, except some queries from this host. > > 0:e0:7d:a1:8:75 Broadcast arp 60: arp who-has 202.168.255.85 (68:74:2e:4d:20:74) tell a.host.ip.address > > > > The MAC inside the parenthesis was never in my LAN. Almost all the > > Why does 'a.host.ip.address' think 202.168.255.85 is a local address > if it isn't? There is absolutely no reason for this. Routing tables are correct, no dynamic routing protocols either. Now I am more inclined to think that someone is injecting these Ethernet frames. But to what effect, I haven't got a clue. -- Mojahed System Administrator, Agni Systems Limited To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020428095916.F94650>