| View previous topic :: View next topic |
| Author |
Message |
cael
n00b
Joined: 29 Apr 2003
Posts: 37
|
 Posted: Mon Sep 22, 2003 2:19 am Post subject: [RESOLVED] Precursor to a honeypot: arpd not arping? |
 |
|
Hi all,
It doesn't look like net-misc/arpd-0.2 is responding to unowned arp queries the way it ought to.
| Code: | # arpd -d -i eth0 10.0.0.0/24
arpd[7174]: listening on eth0: arp and (dst net 10.0.0.0/24) and not ether src 00:01:02:03:04:e5 |
However, when I try pinging 10.0.0.113 (unallocated) I don't hear a peep from arpd.
After waiting a while, I started to see some activity from arpd:
| Code: | arpd[7174]: arpd_lookup: 10.0.0.1 at 00:06:25:01:01:01
arpd[7174]: arpd_lookup: 10.0.0.3 at 00:a0:08:00:00:00
arpd[7174]: arpd_recv_cb: 10.0.0.3 is allocated
arpd[7174]: arpd_recv_cb: 10.0.0.1 at 00:06:25:01:01:01
arpd[7174]: arpd_recv_cb: 10.0.0.3 at 00:a0:08:00:00:00
arpd[7174]: arpd_recv_cb: 10.0.0.1 at 00:06:25:01:01:01
arpd[7174]: arpd_recv_cb: 10.0.0.3 is allocated
arpd[7174]: arpd_recv_cb: 10.0.0.1 at 00:06:25:01:01:01
arpd[7174]: arpd_recv_cb: 10.0.0.3 at 00:a0:08:00:00:00
arpd[7174]: arpd_recv_cb: 10.0.0.1 at 00:06:25:01:01:01
arpd[7174]: arpd_recv_cb: 10.0.0.1 is allocated
arpd[7174]: arpd_recv_cb: 10.0.0.1 is allocated
arpd[7174]: arpd_timeout: expiring 10.0.0.3 |
Is it just a matter of having to wait for arpd to crawl through my /24? tcpdump says there's definitely arp-related traffic on the network.
Many thanks,
Cael
Last edited by cael on Mon Sep 22, 2003 1:41 pm; edited 1 time in total |
|
| Back to top |
|
 |
cael
n00b
Joined: 29 Apr 2003
Posts: 37
|
| Posted: Mon Sep 22, 2003 2:28 am Post subject: |
|
|
Right -- just for completeness' sake, here's what tcpdump reports when I try pinging the nonexistent machine:
| Code: | 22:24:23.215030 arp who-has 10.0.0.113 tell mygentoobox
22:24:24.250066 arp who-has 10.0.0.113 tell mygentoobox
... |
I'm not trying to ping outside my own subnet, so I shouldn't have to add a route, should I? This seems far too complicated.
take care,
Cael |
|
| Back to top |
|
|
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Mon Sep 22, 2003 4:37 am Post subject: |
|
|
| Quote: | | Code: | # arpd -d -i eth0 10.0.0.0/24
arpd[7174]: listening on eth0: arp and (dst net 10.0.0.0/24) and not ether src 00:01:02:03:04:e5 |
|
I assume 00:01:02:03:04:e5 is your Ethernet address? It looks like arpd is filtering packets a la tcpdump and not showing any packets sourced from you. So you won't see the ARP who-has packets. And since no machine has 10.0.0.113, you won't get a response back. |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Mon Sep 22, 2003 5:35 am Post subject: Re: Precursor to a honeypot: arpd not arping? |
|
|
| cael wrote: |
However, when I try pinging 10.0.0.113 (unallocated) I don't hear a peep from arpd.
|
Do you try to ping from the same host that arpd runs at? This doesn't work, it only works from other hosts. |
|
| Back to top |
|
|
cael
n00b
Joined: 29 Apr 2003
Posts: 37
|
| Posted: Mon Sep 22, 2003 1:40 pm Post subject: |
|
|
That was embarassing.
You were exactly right, sschlueter -- thanks.
C |
|
| Back to top |
|
|
|
Networking & Security
