RE: A bit strange ARP queries

These are usually generated by arping. 

-----Original Message-----
From: Eygene A. Ryabinkin [mailto:rea@rea.mbslab.kiae.ru] 
Sent: Friday, December 16, 2005 5:27 AM
To: wayne dawson
Cc: incidents@securityfocus.com; paul.farrington@goldmedal.co.uk
Subject: Re: A bit strange ARP queries

> > -----
> > 15:29:59.908901 arp who-has the-host-in-question (4:c0:40:1:e0:df) tell 
> > the-requester

> > 15:30:00.911228 arp who-has the-host-in-question (57:43:50:10:40:0) tell 
> > the-requester                                                            
> > 15:30:01.912045 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell

> > the-requester                                                           
> > -----
> > 'the-host-in-question' and 'the-requester' are, of course, IP addresses.
> I should let the network people on the list answer, but it looks normal 
> "unsolicited" ARP. 
 I can be wrong, but I can not imagine the unsolicited ARP requests. As for
replies it is OK, but requests?

 But I worried by the fact that arp who-has packets have the target MAC in
it
(that is supposed to be discovered by the request) and this MAC changes from
time to time.

 RFC says that the target MAC in the who-has requests has no meaning but
they can be present in the who-has requests. And there was no such packets
in that net -- they appeared recently. So if the terget MAC is normally
ignored, such packets can be used for ARP spoofing (of any kind) only if
we have some strange ARP stacks that are caching the target MAC's from the
ARP requests.

 What is wrong in my thoughts?


 Thanks!
-- 
 rea

If I can't picture it, I can't understand it.  -Albert Einstein