iiiyyyhhhsss 发表于 2010-04-25 22:02
tcpdump发现了怪现象...
[i=s] 本帖最后由 iiiyyyhhhsss 于 2010-04-25 22:19 编辑 [/i]
下面是我tcpdump后得出的结果,显然:
网关192.168.0.1不断地发出arp包,询问192.168.0.1的MAC地址,这样,不就是不断问自己的MAC地址吗?
为什么会出现这种情况?通常什么情况下会出现这种情况?
21:57:47.197761 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:47.311505 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:47.423329 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:47.551858 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:47.645913 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:47.737078 IP 192.168.1.251 > 192.168.1.1: ICMP echo request, id 26891, seq 274, length 64
21:57:47.738049 IP 192.168.1.1 > 192.168.1.251: ICMP echo reply, id 26891, seq 274, length 64
21:57:47.748125 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:47.857778 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:47.977038 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.078891 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.126502 IP 192.168.0.9.1004 > 255.255.255.255.1004: UDP, length 47
21:57:48.187794 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.307028 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.408655 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.517692 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.630363 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.737107 IP 192.168.1.251 > 192.168.1.1: ICMP echo request, id 26891, seq 275, length 64
21:57:48.738332 IP 192.168.1.1 > 192.168.1.251: ICMP echo reply, id 26891, seq 275, length 64
21:57:48.738351 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.847646 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:48.966726 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:49.017832 IP 192.168.0.9.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:49.068680 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:49.177765 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:49.296675 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
21:57:49.398595 arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1
missuniverse110 发表于 2010-04-25 22:22
通告自己的ip和mac
是傻瓜路由器么?
missuniverse110 发表于 2010-04-25 22:30
[i=s] 本帖最后由 missuniverse110 于 2010-04-25 22:33 编辑 [/i]
Example 2.3. Unsolicited ARP request frames
[root@tristan]# arping -q -c 3 -U -I eth0 192.168.99.35
[root@masq-gw]# tcpdump -c 3 -nni eth2 arp
tcpdump: listening on eth2
06:28:23.172068 arp who-has 192.168.99.35 (ff:ff:ff:ff:ff:ff) tell 192.168.99.35
06:28:24.167290 arp who-has 192.168.99.35 (ff:ff:ff:ff:ff:ff) tell 192.168.99.35
06:28:25.167250 arp who-has 192.168.99.35 (ff:ff:ff:ff:ff:ff) tell 192.168.99.35
-U Unsolicited ARP mode to update neighbours’ ARP caches. No
replies are expected.
以前在学校经常用这一招反arp攻击
iiiyyyhhhsss 发表于 2010-04-25 22:31
我就是不知道为什么会发生这种情况?有谁能解释一下?
missuniverse110 发表于 2010-04-25 22:46
自发arp回应包,不需要对方arp回应,更新对方的arp缓存表
有两种可能:
1.arp攻击
2.反arp攻击
iiiyyyhhhsss 发表于 2010-04-25 22:55
??按照你的意思,就是说我所在的网络不正常了?
missuniverse110 发表于 2010-04-25 23:11
首先,确定不是你自己搞的
tcpdump -ennqti eth0 /( arp or icmp /)
看一下发送方的mac不就ok了
jordie 发表于 2010-04-26 07:53
我住得那个地方也是跟楼主得一样,我也不知道什么原因
iiiyyyhhhsss 发表于 2010-04-26 09:05
???????
dwl301 发表于 2010-04-26 09:25
是不是有台机器中病毒了?之前公司一台windows中病毒就这样了……
iiiyyyhhhsss 发表于 2010-04-26 10:21
我也觉得是病毒,
但是那是网关路由发出来的,难道网关中毒了?
而且如果是其它电脑在欺骗,那么整个局域网应该是不能正常工作的,
但是我们的网络非常正常,上外网一点问题没有...
奇怪!
iiiyyyhhhsss 发表于 2010-04-30 12:05
终于知道:
表面上是网关不断的问自己的地址MAC,
其实它的作用是:网关不断的向往内所有机子广播自己的MAC地址