Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ARP-Reply-to-Broadcast Event 7102 Sub 0

I have a weird issue I'm trying to figure out...

I am seeing multiple Event 7102 sub 0 alarms in CTR. All have the same IP Address as the offending source. I turned on IP Logging and went through 2 of the alarms with ethereal and below is what I'm seeing. Any help is appreciated.

ARP-Reply-to-Broadcast Event 7102 Sub 0

Starts with an ARP reply:

Source MAC: It's own

Source IP: It's own

Target MAC: ff:ff:ff:ff:ff:ff (broadcast)

Target IP: It's OWN IP

Opcode: reply (0x0002)

Then a DNS query for time.windows.com

Then it goes into NBNS (Netbios name) registration for "Multi-homed registration" NB Workstation1

Registration NB Domain1

Alarm number 2, from the same sourece "IP Address" - note the different name of workstation.

Starts with the same thing:

Starts with an ARP reply:

Source MAC: It's own

Source IP: It's own

Target MAC: ff:ff:ff:ff:ff:ff (broadcast)

Target IP: It's OWN IP

Opcode: reply (0x0002)

Then it does a NBNS registration NB "Workstation2" (Different Workstation name, same IP)

Registration NB Domain2 (different domain)

Both domains are real domains. Any ideas?

2 REPLIES
Silver

Re: ARP-Reply-to-Broadcast Event 7102 Sub 0

Check if the following documentation helps.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/threat/

Silver

Re: ARP-Reply-to-Broadcast Event 7102 Sub 0

MS makes use of gratuitous ARPs to make sure that the IP in question isn't in use. An MS machine will register its name in WINS and DNS(Win2k+). If there are two intefaces, then it will register both.

Is your machine multi-homed? Does it use a loopback adapter?

207
Views
0
Helpful
2
Replies
CreatePlease to create content