:: Re: [DNG] how to investigate consta…
Pàgina inicial
Delete this message
Reply to this message
Autor: Stefan Krusche
Data:  
A: dng
Assumpte: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell
> ..." class of messages.


Yes, good guess! Tcpdump show lots of these messages:

16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46
16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46
16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de tell ip5b418afe.dynamic.kabel-deutschland.de, length 46

But what does that mean? The addresses asked for all seem to
be from the pool of the IP addresses/domains which this ISP
gives out.

$ nslookup ip5b418d68.dynamic.kabel-deutschland.de
Server:         127.0.0.1
Address:        127.0.0.1#53


Non-authoritative answer:
Name: ip5b418d68.dynamic.kabel-deutschland.de
Address: 91.65.141.104

$ nslookup ip5b418b24.dynamic.kabel-deutschland.de
Server:         127.0.0.1
Address:        127.0.0.1#53


Non-authoritative answer:
Name: ip5b418b24.dynamic.kabel-deutschland.de
Address: 91.65.139.36

$ nslookup ip5b418a98.dynamic.kabel-deutschland.de
Server:         127.0.0.1
Address:        127.0.0.1#53


Non-authoritative answer:
Name: ip5b418a98.dynamic.kabel-deutschland.de
Address: 91.65.138.152

$ whois 91.65.141.104   # output cut
[…]
inetnum:        91.65.0.0 - 91.65.255.255
netname:        KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14
[…]


Why would my machine send these requests?

Any hint much appreciated.

Thanks again,
Stefan