[nzlug] mac address / arp issues?
Antonio Broughton
antonio at flerwin.net
Fri Oct 5 12:09:43 NZST 2007
On Fri, 2007-10-05 at 11:10 +1300, Antonio Broughton wrote:
> Hi,
>
> We have a customer that has an IPCop machine that serves their internet,
> and a CentOS machine that acts as the windows domain for a number of
> workstations.
>
> Starting from Tuesday, there has been issues in regard to the ARP table
> on the default gateway for the network (IPCop machine).
>
> The issue that is occuring, is that the windows workstations appear to
> loose their internet connection, however, if you go on the IPCop box,
> and issue an "arp -a", the following is outputted:
>
> ? (10.1.5.218) at 00:11:d8:b7:20:36 [ether] on eth0
> ? (10.1.5.219) at 00:11:d8:b7:20:36 [ether] on eth0
> ? (10.1.5.220) at 00:11:d8:b7:20:36 [ether] on eth0
> ? (10.1.5.221) at 00:11:d8:b7:20:36 [ether] on eth0
> ? (10.1.5.222) at 00:11:d8:b7:20:36 [ether] on eth0
>
-- snip --
This has just happened again, however, I notice some dodgy things
happening just before it occured:
11:30:36.616201 arp who-has 10.1.5.10 tell 10.1.5.200
11:30:36.631876 arp who-has 10.1.5.11 tell 10.1.5.200
11:30:36.647409 arp who-has 10.1.5.12 tell 10.1.5.200
11:30:36.663084 arp who-has 10.1.5.13 tell 10.1.5.200
11:30:36.678742 arp who-has 10.1.5.14 tell 10.1.5.200
11:30:36.695064 arp who-has 10.1.5.15 tell 10.1.5.200
11:30:36.709964 arp who-has 10.1.5.16 tell 10.1.5.200
11:30:36.725651 arp who-has 10.1.5.17 tell 10.1.5.200
11:30:36.741191 arp who-has 10.1.5.18 tell 10.1.5.200
11:30:36.756931 arp who-has 10.1.5.19 tell 10.1.5.200
etc...
The windows computer is doing a scan by the looks of it.
If this computer does have a ViRii... does anyone know why it would
be stuffing up the arp table on the Linux server?
Has anyone come across a virus that does this?
Antonio Broughton
More information about the NZLUG
mailing list