Jump to content
Калькуляторы

Вопрос по ArpWatch

Все логи завалены сообщениями:

----------

Nov 24 03:20:45 pinger arpwatch: flip flop 0.0.0.0 0:80:ad:b:d:c6 (0:2:44:74:42:90)

Nov 24 03:22:29 pinger arpwatch: flip flop 0.0.0.0 0:2:44:74:42:90 (0:80:ad:b:d:c6)

Nov 24 03:24:01 pinger arpwatch: flip flop 0.0.0.0 0:80:ad:b:d:c6 (0:2:44:74:42:90)

Nov 24 03:25:30 pinger arpwatch: flip flop 0.0.0.0 0:2:44:74:42:90 (0:80:ad:b:d:c6)

Nov 24 03:25:35 pinger arpwatch: flip flop 0.0.0.0 0:80:ad:b:d:c6 (0:2:44:74:42:90)

Nov 24 03:25:40 pinger arpwatch: flip flop 0.0.0.0 0:2:44:74:42:90 (0:80:ad:b:d:c6)

Nov 24 03:25:45 pinger arpwatch: report: pausing (cdepth 3)

---

и такая дребедень целый день :)

мак 0:80:ad:0b:0d:c6 принадлежит этой-же машине (192.168.1.253 - pinger)

второй - интернет-шлюзу (192.168.1.1)

 

на шлюзе в логах такая-же фигня...

 

может кто-то что-то подскажет?

Share this post


Link to post
Share on other sites

вопрос по-прежнему открыт, так как это уже начинает конкретно напрягать...

 

и ещё, кто что может рассказать про этот кусок tcpdump-а?

 

---

02:18:31.005105 eth0 B arp who-has 192.168.67.9 tell 192.168.67.2

02:18:31.395105 eth0 B arp who-has 192.168.67.50 tell 192.168.67.54

02:18:31.555105 eth0 B arp who-has 192.168.67.50 tell 192.168.67.3

02:18:31.555105 eth0 B arp who-has 192.168.67.73 tell 192.168.67.3

02:18:31.565105 eth0 B arp who-has 192.168.67.50 tell 192.168.67.21

02:18:31.955105 eth0 > arp who-has 192.168.67.79 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:32.975105 eth0 > arp who-has 192.168.67.81 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:33.095105 eth0 B arp who-has 192.168.67.9 tell 192.168.67.2

02:18:33.995105 eth0 > arp who-has 192.168.67.83 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:35.015105 eth0 > arp who-has 192.168.67.85 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:35.045105 eth0 B arp who-has 192.168.67.9 tell 192.168.67.2

02:18:35.755105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.10

02:18:36.035105 eth0 > arp who-has 192.168.67.87 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:36.555105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.74

02:18:36.565105 eth0 B arp who-has 192.168.67.74 tell 192.168.67.105

02:18:36.985105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.105

02:18:36.985105 eth0 B arp who-has 192.168.67.213 tell 192.168.67.105

02:18:37.055105 eth0 > arp who-has 192.168.67.89 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:37.085105 eth0 B arp who-has 192.168.67.9 tell 192.168.67.2

02:18:37.145105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.213

02:18:37.145105 eth0 B arp who-has 192.168.67.213 tell 192.168.67.38

02:18:37.985105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.73

02:18:38.075105 eth0 > arp who-has 192.168.67.91 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:38.805105 eth0 B arp who-has 192.168.67.1 tell 192.168.67.29

02:18:39.055105 eth0 B arp who-has 192.168.67.9 tell 192.168.67.2

02:18:39.095105 eth0 > arp who-has 192.168.67.93 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:39.885105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.65

02:18:40.105105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.29

02:18:40.115105 eth0 > arp who-has 192.168.67.95 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

02:18:41.015105 eth0 B arp who-has 192.168.67.16 tell 192.168.67.2

02:18:41.075105 eth0 B arp who-has 192.168.67.9 tell 192.168.67.2

02:18:41.135105 eth0 > arp who-has 192.168.67.97 (Broadcast) tell 0.0.0.0 (0:80:ad:b:d:c6)

Share this post


Link to post
Share on other sites

Может на обеих тачках поднят интерфейс с адресом 0.0.0.0 ?

вот они и плющатся

Share this post


Link to post
Share on other sites

Скорее всего кто-то использует arp-spoofing.

Слушают локалку.

Конкретно - твои два сервера. Все запросы на них, и все их ответы.

Share this post


Link to post
Share on other sites

гм... проблема с flip flop - ом решилась, когда на роутере "разжал" мак pinger-а...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.