:: Re: [DNG] how to investigate consta…
Top Page
This message is part of the following thread:
M-+\the complete thread tree sorted by date
M.MMStefan Krusche at <-
M\MDaniel Klein at ->
Delete this message
Reply to this message
Author: Dr. Nikolaus Klepp
Date:  
To: dng
Subject: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sat, 12 Oct 17:03:29 +0200
Stefan Krusche scripsit:
> Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> > Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell
> > ..." class of messages.
>
> Yes, good guess! Tcpdump show lots of these messages:
>
> 16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46
> 16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46
> 16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de tell ip5b418afe.dynamic.kabel-deutschland.de, length 46
>
> But what does that mean? The addresses asked for all seem to
> be from the pool of the IP addresses/domains which this ISP
> gives out.
> 
> $ nslookup ip5b418d68.dynamic.kabel-deutschland.de
> Server:         127.0.0.1
> Address:        127.0.0.1#53

>
> Non-authoritative answer:
> Name: ip5b418d68.dynamic.kabel-deutschland.de
> Address: 91.65.141.104
> 
> $ nslookup ip5b418b24.dynamic.kabel-deutschland.de
> Server:         127.0.0.1
> Address:        127.0.0.1#53

>
> Non-authoritative answer:
> Name: ip5b418b24.dynamic.kabel-deutschland.de
> Address: 91.65.139.36
> 
> $ nslookup ip5b418a98.dynamic.kabel-deutschland.de
> Server:         127.0.0.1
> Address:        127.0.0.1#53

>
> Non-authoritative answer:
> Name: ip5b418a98.dynamic.kabel-deutschland.de
> Address: 91.65.138.152
> 
> $ whois 91.65.141.104   # output cut
> […]
> inetnum:        91.65.0.0 - 91.65.255.255
> netname:        KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14
> […]

>
> Why would my machine send these requests?
>
> Any hint much appreciated.

Please see: http://www.omnisecu.com/tcpip/address-resolution-protocol-arp.php
And search for "arp spooing", this will reveal more funny details :)

Nik

>
> Thanks again,
> Stefan
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>



--
Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...
This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/sRe: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)