Dziwne zapytania ARP
Michal Chruszcz
troll w troll.one.pl
Wto, 27 Kwi 2004, 06:55:56 CEST
Witam,
Od kilku dni w sieci, którą zarządzam dzieją się dziwne rzeczy. arpmonitor
na serwerze pokazuje coś takiego:
[Reply] From: 192.168.10.244 [00:E0:22:22:3A:E1] To: 192.168.1.1
[00:0A:5E:20:82:5C]
[Request] From: 192.168.16.10 [00:0D:88:8C:A6:CE] To: 239.255.255.250
[6C:02:79:08:C7:C8]
[Request] From: 192.168.17.40 [00:0D:88:B9:5B:90] To: 239.255.255.250
[49:12:80:55:01:10]
[Request] From: 192.168.17.200 [00:0D:88:99:3A:29] To: 239.255.255.250
[00:00:00:00:00:00]
[Request] From: 192.168.17.60 [00:0D:88:B9:57:50] To: 239.255.255.250
[6E:2C:49:5F:96:4F]
[Request] From: 192.168.61.1 [00:0D:88:B9:5A:55] To: 239.255.255.250
[49:0F:80:58:01:10]
[Request] From: 192.168.61.1 [00:0D:88:B9:5A:55] To: 224.0.1.76
[5B:CB:32:F9:5B:F1]
[Request] From: 192.168.17.40 [00:0D:88:B9:5B:90] To: 224.0.1.76
[49:0C:80:5B:01:10]
[Request] From: 192.168.16.10 [00:0D:88:8C:A6:CE] To: 224.0.1.76
[6C:1D:79:08:D5:5F]
[Request] From: 192.168.17.60 [00:0D:88:B9:57:50] To: 224.0.1.76
[7C:4F:98:76:77:A2]
[Request] From: 192.168.17.200 [00:0D:88:99:3A:29] To: 224.0.1.76
[00:89:00:89:00:3A]
Wszystkie adresy z klasy 192.168.0.0, to Access Pointy.
Z kolei tcpdump na mojej workstacji (trochę ukryty z boku sieci) pokazuje
coś podobnego, ale adresy wydaję się bardziej znane:
# tcpdump -v -n -i wlan0|head -n10
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96
bytes
06:51:42.078779 IP (tos 0x0, ttl 126, id 98, offset 0, flags [none], length:
226) 169.254.145.177.138 > 169.254.255.255.138: NBT UDP PACKET(138)
06:51:42.102968 IP (tos 0x0, ttl 99, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.104837 IP (tos 0x0, ttl 98, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.110824 IP (tos 0x0, ttl 99, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.118603 IP (tos 0x0, ttl 99, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.120682 IP (tos 0x0, ttl 98, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.126322 IP (tos 0x0, ttl 98, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.137152 IP (tos 0x0, ttl 98, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.138775 IP (tos 0x0, ttl 98, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
06:51:42.148963 IP (tos 0x0, ttl 98, id 51, offset 0, flags [none], length:
96) 169.254.145.177.137 > 169.254.255.255.137: NBT UDP PACKET(137):
REGISTRATION; REQUEST; BROADCAST
Myślełem początkowo, że to są zapytania dhcp, ale w naszej sieci nie ma
dhcp, więc to raczej odpada. Połączenia po SMB są wycięte na poziomie
AP-ków, więc porty, z których idą te połączenia wydają mi się podwójnie
dziwne. Może ktoś już miał podobny problem i go rozwiązał?
--
Michal Chruszcz -=- Seen at http://prox.pl/~troll/?gallery
Więcej informacji o liście dyskusyjnej pld-users-pl