08-12-2008 01:19 PM - edited 03-06-2019 12:45 AM
I am seeing allot of ARP requests that looking like the switch (probally something spoofing the switch) is scanning our network and incrementing by one....like something has a virus. Here is what I am seeing in the switch....
Aug 12 19:12:54: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,
dst 10.0.61.176 0000.0000.0000 Vlan10
Aug 12 19:12:55: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,
dst 10.0.61.195 0000.0000.0000 Vlan10
Aug 12 19:12:56: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,
dst 10.0.61.196 0000.0000.0000 Vlan10
Aug 12 19:12:56: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,
dst 10.0.61.168 0000.0000.0000 Vlan10
10.0.0.254 is our switch
this started at 10.0.0.0 and is now up to 10.0.65.X
How can I find out what is doing this?
Mike
08-12-2008 01:35 PM
I am assuming this is this a layer-3 switch? If so this is just normal ARP'ing as the switch (router) is trying to forward packets to hosts on it's directly connected VLAN 10 it doesn't have ARP entries for. It could be legitimate traffic or it could be an infected host that is generating the traffic. I suggest you put a sniffer on and attempt to find the IP source that is generating the 'sweeps' of traffic.
HTH
Andy
08-13-2008 04:50 AM
We found the issue. It looks like it was a misconfigured subnet mask.
Thanks for your help.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: