On Sat, Apr 28, 2001 at 07:12:47PM +1000, marty wrote:
> > # more /proc/net/arp
>
> which is fine for assigned IP addresses, because machines will respond to
> "who has <their-IP>" ARP requests...
>
> because i am trying to track down spoofed IPs, none of the machines are
> going to respond to a "who has <spoofed-IP>" ARP request...
>
root@kermit:~# tcpdump -eni eth0 arp
tcpdump: listening on eth0
19:14:42.779881 0:d0:9:34:d2:84 ff:ff:ff:ff:ff:ff 0806 60: arp who-has
203.62.148.33 tell 203.62.148.37
format of above is
timestamp from-MAC to-MAC Protocol notsure: arp-packet-info
--
John Ferlito
Senior Engineer - Bulletproof Networks
ph: +61 (0) 410 519 382
http://www.bulletproof.net.au/
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
