Glenn Johnson wrote:
>
> Why would these arp requests occur as a steady stream, all going to
> primarily one machine it looks like? This just started today. I
> usually see an occasional flash of the activity light on the cable modem
> but the activity light is almost burning steady now. Here is a snippet
> of output from tcpdump.
>
> 23:11:45.429645 arp who-has 24.158.211.28 tell 24.158.208.1
> 23:11:45.597693 arp who-has 24.158.211.128 tell 24.158.208.1
> 23:11:45.603525 arp who-has 24.158.209.52 tell 24.158.208.1
> 23:11:45.648017 arp who-has 24.158.213.195 tell 24.158.208.1
> 23:11:45.701103 arp who-has 24.158.213.186 tell 24.158.208.1
> 23:11:45.799656 arp who-has 24.158.208.6 tell 24.158.208.1
> 23:11:45.803653 arp who-has 24.158.208.213 tell 24.158.208.1
> 23:11:45.807188 arp who-has 24.158.213.2 tell 24.158.208.1
> 23:11:45.814144 arp who-has 24.158.211.254 tell 24.158.208.1
> 23:11:45.833711 arp who-has 24.158.213.253 tell 24.158.208.1
> 23:11:45.856152 arp who-has 24.158.210.61 tell 24.158.208.1
> 23:11:45.906593 arp who-has 24.158.210.26 tell 24.158.208.1
> 23:11:45.943625 arp who-has 24.158.223.226 tell 24.158.223.129
> 23:11:45.949866 arp who-has 24.158.222.24 tell 24.158.222.1
> 23:11:45.966988 arp who-has 24.158.212.132 tell 24.158.208.1
> 23:11:46.052650 arp who-has 24.158.212.103 tell 24.158.208.1
> 23:11:46.065411 arp who-has 24.158.220.82 tell 24.158.220.1
> 23:11:46.156773 arp who-has 24.158.220.139 tell 24.158.220.1
> 23:11:46.164731 arp who-has 24.158.215.52 tell 24.158.208.1
> 23:11:46.169593 arp who-has 24.158.209.195 tell 24.158.208.1
>
> It seems to me that there is some problem here. How would you suggest I
> approach the cable company with this information?
This is not TO 24.158.208.1, rather FROM... this indicates that there is
traffic coming from "out there" into your segment looking for the IPs in the
left column... since there are no duplicates in that sample, it appears someone
is scanning the range... but scanning with only one packet does nothing for the
scanning host, it just fills the router's (24.158.208.1) arp cache... the
router waits for the next packet... if it comes, and there's a cache entry, the
scanner's packet will reach the target host (you?)... if it doesn't come, the
cache will timeout and flush the entry eventually. If the scan cycle is longer
than the ARP cache timeout, it's just a waste of bandwidth...
Unless you see the next packet from the scanner, only the router knows the
scanner's IP (likely forged) for the brief time it converts that packet into an
ARP if there's no arp entry for the target host. If there is an entry, then you
could see the scanner's IP.
If one was to write an arpresponder (had one many years ago to overcome a
network topology issue), it would cause havoc on this type of network... unless
you can also see the unicast ARP replies, you can't tell if the host really
exists from your vantage point. If you send an ARP reply for the ARPed for
host, one of two things will happen...
1. you respond first; no problem, since the last ARP reply seen is used.
2. you respond later; you own the IP address (unless someone else also steals it
or the real target is really slow to respond...
Trying to steal IPs this way is a crap shoot trying to get in last and before
the first real data packet which quickly follows...
HTH,
Pierre
PS: Sorry I've been quiet lately... lots of personal issues...
