:: Re: [DNG] how to investigate consta…
Etusivu
Poista viesti
Vastaa
Lähettäjä: mett
Päiväys:  
Vastaanottaja: dng
Aihe: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
On 2019年10月13日 18:24:54 JST, "Dr. Nikolaus Klepp" <dr.klepp@???> wrote:
>Anno domini 2019 Sun, 13 Oct 10:47:30 +0200
> Stefan Krusche scripsit:
>> Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp:
>> > There is some misunderstanding: The ARP package has nothing to do
>> > with DNS.
>>
>> That's what I've been thinking and why I asked.
>>
>> > It basicly links MAC to IP - and you can do funny things
>> > with it.
>>
>> Okay, I still can't seem to connect the dots…
>>
>> > tcpdump just makes the name resolution for you, use "tcpdump
>> > -n" to go without it. e.g.:
>> >
>> > # tcpdump -n
>> > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell
>192.168.1.1,
>> > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at
>> > 00:1b:77:53:6c:43, length 28
>>
>> Alright. What attracts my attention is, that here length is 28 just
>> like the ARP message format is explained on the site you recommended
>> where it is 46 on my machine:
>>
>> $ sudo tcpdump -n
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>decode
>> listening on net0, link-type EN10MB (Ethernet), capture size 262144
>bytes
>> 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell
>91.65.142.254, length 46
>> 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86,
>length 46
>>
>> Is this relevant in any way related to exaggerated ARP requests?
>
>My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet
>size, but it's padded for ethernet minmum frame:
>https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet
>
>You can ask tcpdump to give you a hex dump of the packets and
>investigate:
># tcpdump -nx
>
>11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1,
>length 28
>    0x0000:  0001 0800 0604 0001 c493 0007 4ca5 c0a8
>    0x0010:  0101 0000 0000 0000 c0a8 01be
>11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43,
>length 28
>    0x0000:  0001 0800 0604 0002 001b 7753 6c43 c0a8
>    0x0010:  01be c493 0007 4ca5 c0a8 0101

>
>
>>
>> > arp cache should only have as many entries as ather mac adresses
>are
>> > active in your part of the lan. If you are alone on your router,
>then
>> > it's just you routers mac in the cache.
>>
>> This seems to be the case (see OP).
>>
>> Thank you, Nik.
>>
>> Stefan
>>
>> _______________________________________________
>> Dng mailing list
>> Dng@???
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>>
>
>
>
>--
>Please do not email me anything that you are not comfortable also
>sharing with the NSA, CIA ...
>_______________________________________________
>Dng mailing list
>Dng@???
>https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


Hi,

if this is really outgoing arp request,
maybe ur default route is not properly
configured.
Like u have no next-hop address,
only an outgoing interface as a default
route:

ip route default dev en0

instead of

ip route default via 91.sm.th.ing dev en0

In that case, ur host think every hosts is attached to it, and therefore arp for each
host.

I said if bc what u showed didn t seem
coming from ur host.

Can u verify that all the arp requests
are from ur host?
ie. the outgoing interface, en0 if i
understood properly
(the interface with a public ip address).

hth