Kurt
In situations like this I have generally found it is either a virus of some
sort (take your pick), a badly configured application or a problem on the
network card or cable. In extreme situations I have found this to be some
kind of penetration test or attack but normally it is just a worm. Put
ethereal also inline with the workstation and see if you can capture any
behaviour which triggers the scans. You maybe simply be on a switched
network and are only seeing the arp's as they are broadcasts. I have seen
certain proxy software e.g. Wingate client do this kind of thing.
Evan
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Krahnke, Kurt
Sent: 10 August 2004 05:00 PM
To: 'ethereal-users@xxxxxxxxxxxx'
Cc: Krahnke, Kurt
Subject: [Ethereal-users] Excessive Arps on my network
I have downloaded and installed ethereal on my network and have begun to do
some analysis of packets going over my network. I am seeing anywhere from
65 to 85% arps. These are coming from several workstations on my network
and they are all sequential. I see the arp starting at a work station that
has an ip address of 172.16.104.45, it arps to every ip address range in the
172.16.104.xx range. This means from 1 to 254, with the exception of 45? I
have never seen this before, do you have any idea what this may be?
At first I thought it was the Welchia virus, we use Symantec
corporate anit-virus which picked up nothing. I downloaded and used
Trend-micro's house call encase the anti virus was disabled, this also
showed no viruses. Have you seen this before?
Is this possibly a spy ware running on my network? Are there any
suggestions you could give me to try and solve this problem?
Kurt Krahnke
Network Engineer
Treasure Island Resort and Casino
651-385-2843 direct
800-222-7077 ext 2843 toll free
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
