Re: ARP Requests

["Jason Ross" <algorythm@gmail.com>]

On 8/7/07, ilaiy <ilaiy.e@gmail.com> wrote:
> http://blogs.msdn.com/virtual_pc_guy/archive/2005/01/17/354971.aspx
>
> ./thanks
> ilaiy
>

I'm curious how you figured out that seeing packets being sprayed
across the wire was somehow related to a Virtual PC startup error
message?

As I read the question, I was wondering whether the remote PC was
configured for dhcp/bootp and if so, thought that perhaps it was
caught in a loop attempting to get an address but was unable to do so.

In that case, resetting the network connection to resolve the
problem would make some sense.

It would seem that I was way off though, based on the fact that
Virtual PC gives an error matching that MAC if it's borked and refuses
to start up.

./thanks indeed for that insightful help, I certainly learned something
new today, and am most impressed with your deductive powers!

As a side note, it may be worth noting that ARP requests, by their
nature, generally will have a destination of 00:00:00:00:00:00.

This is because they are broadcast to the entire network segment.
I would venture a guess that the packet 'malformed-ness' is not due
to the destination address, but to something else (data contained
within the packet, incorrect header info, etc.)

It may also be worth examining the source host closely to see if there
is something running which is attempting to spoof ARP requests/replies
in an effort to capture traffic.

Since resetting the network connection "fixed" the issue, I think it's
unlikely, but it never hurts to see.

--
jason

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------