04-06-2007 10:50 AM - edited 03-10-2019 03:33 AM
I've investigated this alarm before, and I think there are times when this occurs normally. I can't pinpoint an exact reason a device might use this normally though. I'm assuming it would have something to do with high availability...like a heartbeat. Any ideas why a device, in particular a Cisco device, would send an arp reply to a layer 2 broadcast address (and no previous arp request was sent)?
04-12-2007 10:55 AM
Tools such as dsniff and ettercap can perform a brute force flood of the ARP cache and win a race condition to overwrite the MAC-to-IP address mapping. This situation causes the dedicated segment for each port on the switch to relax and the
unicast packets can be seen on other ports. It has been described as making a switch behave like a hub.
04-12-2007 11:08 AM
Thanks. I am actually aware of many of the nefarious reasons one might see this. I'm as close to 100% confident as you can be that this is non-malicious activity.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide