:: Re: [DNG] how to investigate consta…
Top Page
Delete this message
Reply to this message
Author: Dr. Nikolaus Klepp
Date:  
To: dng
Subject: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sun, 13 Oct 10:47:30 +0200
Stefan Krusche scripsit:
> Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> > There is some misunderstanding: The ARP package has nothing to do
> > with DNS.
>
> That's what I've been thinking and why I asked.
>
> > It basicly links MAC to IP - and you can do funny things
> > with it.
>
> Okay, I still can't seem to connect the dots…
>
> > tcpdump just makes the name resolution for you, use "tcpdump
> > -n" to go without it. e.g.:
> >
> > # tcpdump -n
> > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1,
> > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at
> > 00:1b:77:53:6c:43, length 28
>
> Alright. What attracts my attention is, that here length is 28 just
> like the ARP message format is explained on the site you recommended
> where it is 46 on my machine:
>
> $ sudo tcpdump -n
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length 46
> 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46
>
> Is this relevant in any way related to exaggerated ARP requests?


My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet size, but it's padded for ethernet minmum frame:
https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet

You can ask tcpdump to give you a hex dump of the packets and investigate:
# tcpdump -nx

11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28
    0x0000:  0001 0800 0604 0001 c493 0007 4ca5 c0a8
    0x0010:  0101 0000 0000 0000 c0a8 01be
11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28
    0x0000:  0001 0800 0604 0002 001b 7753 6c43 c0a8
    0x0010:  01be c493 0007 4ca5 c0a8 0101



>
> > arp cache should only have as many entries as ather mac adresses are
> > active in your part of the lan. If you are alone on your router, then
> > it's just you routers mac in the cache.
>
> This seems to be the case (see OP).
>
> Thank you, Nik.
>
> Stefan
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>




--
Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...