I saw something like this recently too (at home!)... My guess is this:
Assume host "A" and host "B" once established a connection. After a period of inactivity, host "A" wants to send data to host "B". Host "A" sends directed ARP packets (using host "B"'s previously known MAC) address to find out if it is there or if it has the same IP address...
But I am not familar with the standards and I'm not sure why this is being handled at such a low level (rather than a TCP timeout, etc)...
Hopefully someone more knowledgable can respond to this... -Alex On Thu, 15 Dec 2005, Eygene A. Ryabinkin wrote:
Good day! Has anyone seen such ARP packets? I am a bit curious, because we have no strange hardware that will set the target hardware address in the who-has ARP packet. Are there any attacks that using such packets? ----- 15:29:59.908901 arp who-has the-host-in-question (4:c0:40:1:e0:df) tell the-requester 15:30:00.911228 arp who-has the-host-in-question (57:43:50:10:40:0) tell the-requester 15:30:01.912045 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:02.913314 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:03.915013 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:04.915854 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:25.962925 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:26.966171 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:26.991402 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:31:01.025945 arp who-has the-host-in-question (7:1c:c3:0:72:8c) tell the-requester 15:31:01.040650 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:32:01.308911 arp who-has the-host-in-question (4:f9:50:10:ff:ff) tell the-requester 15:32:01.319515 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:33:01.448065 arp who-has the-host-in-question (0:b0:2:0:25:f) tell the-requester 15:33:02.448924 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:33:02.573582 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:34:00.568785 arp who-has the-host-in-question (0:b0:2:0:25:f) tell the-requester 15:34:01.569537 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:34:01.625362 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:35:00.836038 arp who-has the-host-in-question (0:0:1f:0:a:c7) tell the-requester 15:35:00.956094 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:36:12.412916 arp who-has the-host-in-question (94:eb:ed:1a:71:fb) tell the-requester 15:36:12.423227 arp reply the-host-in-question is-at 0:d:88:e6:db:dc ----- 'the-host-in-question' and 'the-requester' are, of course, IP addresses. Thanks! -- rea BOFH excuse #158: Defunct processes
