> >----- > >15:29:59.908901 arp who-has the-host-in-question (4:c0:40:1:e0:df) tell > >the-requester > >15:30:00.911228 arp who-has the-host-in-question (57:43:50:10:40:0) tell > >the-requester > >15:30:01.912045 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell > >the-requester > >----- > >'the-host-in-question' and 'the-requester' are, of course, IP addresses. > > > I should let the network people on the list answer, but it looks normal > "unsolicited" ARP. I can be wrong, but I can not imagine the unsolicited ARP requests. As for replies it is OK, but requests?
But I worried by the fact that arp who-has packets have the target MAC in it (that is supposed to be discovered by the request) and this MAC changes from time to time. RFC says that the target MAC in the who-has requests has no meaning but they can be present in the who-has requests. And there was no such packets in that net -- they appeared recently. So if the terget MAC is normally ignored, such packets can be used for ARP spoofing (of any kind) only if we have some strange ARP stacks that are caching the target MAC's from the ARP requests. What is wrong in my thoughts? Thanks! -- rea If I can't picture it, I can't understand it. -Albert Einstein
