ARP packets usage - Networking

This is a discussion on ARP packets usage - Networking ; I ran Ethereal and captures all packets for 1 minute and 49 seconds. These are the results I got: ------------------- Total 503 TCP 353 70.2% UDP 15 3.0% ICMP 13 2.6% ARP 122 24.3% Running time: 00:01:49 -------------------- Is this ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: ARP packets usage

  1. ARP packets usage

    I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    These are the results I got:

    -------------------
    Total 503

    TCP 353 70.2%
    UDP 15 3.0%
    ICMP 13 2.6%
    ARP 122 24.3%

    Running time: 00:01:49
    --------------------

    Is this a normal ARP packet percentage? It seems a bit high to me.

    Thanks,
    Philippe Signoret West


  2. Re: ARP packets usage

    On Oct 25, 12:37 am, Philippe Signoret
    wrote:
    > I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    > These are the results I got:
    >
    > -------------------
    > Total 503
    >
    > TCP 353 70.2%
    > UDP 15 3.0%
    > ICMP 13 2.6%
    > ARP 122 24.3%
    >
    > Running time: 00:01:49
    > --------------------
    >
    > Is this a normal ARP packet percentage? It seems a bit high to me.
    >
    > Thanks,
    > Philippe Signoret West


    It also seems a bit high to me, Beware of ARP packets because it may
    used to sniff the traffic between 2 hosts or to cut the connections
    between 2 hosts, As known as ARP poisoning or ARP spoofing, And also
    there are some Windows viruses that use this protocol to halt the
    Internet connections inside the whole lan, And I think you are sure if
    your LAN is trusted or not, If it is not trusted so beware what those
    packets may used for? Any way check if the values that the sniffer
    gives you are valid and correct or not?


  3. Re: ARP packets usage

    On Wed, 24 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <1193265460.173380.238880@v29g2000prd.googlegroups. com>, Philippe
    Signoret wrote:

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    >I ran Ethereal and captures all packets for 1 minute and 49 seconds.


    What network? What is on this network?

    >TCP 353 70.2%
    >UDP 15 3.0%
    >ICMP 13 2.6%
    >ARP 122 24.3%


    Fairly quiet - but without knowing _what_ you are looking at, it is
    difficult to say if this is normal or not. For example, if you
    are looking at a DSL connection, you are not likely to see any
    mono-cast traffic (traffic to/from a single IP address) that is not
    directed at your host. But you will _PROBABLY_ see all _broadcast_
    traffic, where the router/switch does not know if "you" are the
    destination or not.

    >Is this a normal ARP packet percentage? It seems a bit high to me.


    Not enough information. The other question is what operating system
    are the hosts running? That may also have impact on the traffic.

    Old guy


  4. Re: ARP packets usage

    Moe Trin wrote:
    > On Wed, 24 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
    > article <1193265460.173380.238880@v29g2000prd.googlegroups. com>, Philippe
    > Signoret wrote:
    >
    > NOTE: Posting from groups.google.com (or some web-forums) dramatically
    > reduces the chance of your post being seen. Find a real news server.
    >
    >> I ran Ethereal and captures all packets for 1 minute and 49 seconds.

    >
    > What network? What is on this network?
    >
    >> TCP 353 70.2%
    >> UDP 15 3.0%
    >> ICMP 13 2.6%
    >> ARP 122 24.3%

    >
    > Fairly quiet - but without knowing _what_ you are looking at, it is
    > difficult to say if this is normal or not. For example, if you
    > are looking at a DSL connection, you are not likely to see any
    > mono-cast traffic (traffic to/from a single IP address) that is not
    > directed at your host. But you will _PROBABLY_ see all _broadcast_
    > traffic, where the router/switch does not know if "you" are the
    > destination or not.
    >
    >> Is this a normal ARP packet percentage? It seems a bit high to me.

    >
    > Not enough information. The other question is what operating system
    > are the hosts running? That may also have impact on the traffic.
    >
    > Old guy
    >

    little question don't routers split up broadcast domains ?
    and thus broadcasts from the WAN side shouldn't be forwarded to the LAN
    or does that in general only occurs in the reverse (eg from LAN -> WAN) ?

  5. Re: ARP packets usage

    > NOTE: Posting from groups.google.com (or some web-forums) dramatically
    > reduces the chance of your post being seen. Find a real news server.

    Which one can I use for free?

    > >I ran Ethereal and captures all packets for 1 minute and 49 seconds.

    > What network? What is on this network?

    My home wireless network.

    > >Is this a normal ARP packet percentage? It seems a bit high to me.

    > Not enough information. The other question is what operating system
    > are the hosts running? That may also have impact on the traffic.

    Most hosts (5 of them) are running Windows XP, one Ubuntu Linux. Linux
    and two Windows XP are wired, others are wireless.



  6. Re: ARP packets usage

    On Thu, 25 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <4720f999$0$22312$ba620e4c@news.skynet.be>, goarilla wrote:

    >Moe Trin wrote:


    >> Fairly quiet - but without knowing _what_ you are looking at, it is
    >> difficult to say if this is normal or not. For example, if you
    >> are looking at a DSL connection, you are not likely to see any
    >> mono-cast traffic (traffic to/from a single IP address) that is not
    >> directed at your host. But you will _PROBABLY_ see all _broadcast_
    >> traffic, where the router/switch does not know if "you" are the
    >> destination or not.


    >little question don't routers split up broadcast domains ?


    Classic routers - your big boxes from Cisco, Foundry, and others,
    that follow RFC1812 do not forward broadcasts - because the network
    address ranges are different on the various interfaces. See sections
    5.3.4. and 5.3.5 et.seq. for details.

    1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
    (Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated
    by RFC2644) (Status: PROPOSED STANDARD)

    The "routers" normally found in the home behave differently, because
    they are not routers in the classic sense. In many cases, they are
    doing port/IP translating, such that you have a non-routable (RFC1918)
    address on your side, and can have multiple systems that appear on
    the Internet as one. In other cases, they are behaving more like
    Ethernet switches, separating traffic (collision domains) between the
    ISP side and your system[s]. On Monday, you asked this question in
    the thread "Do MAC addresses go to internet?", and in my response
    (Message-Id: ) I suggested
    trying to use a packet sniffer to see what's on your wires. Did this
    not work?

    >and thus broadcasts from the WAN side shouldn't be forwarded to the LAN
    >or does that in general only occurs in the reverse (eg from LAN -> WAN) ?


    The only time a "router" should forward broadcasts (other than DHCP
    requests when the router is configured as a DHCP Relay Agent - see
    RFC1542 et.seq.) is when it is not acting as a classic router per
    RFC1812. ARP packets are not forwarded by such routers, because the
    Ethernet concept doesn't need the "end" MAC address, but it DOES need
    the MAC address of the "next hop". As far as ARP is concerned, the only
    time an ARP request is forwarded is in Proxy-ARP where the "router" is
    attempting to make it appear that a system on a separate interface but
    using the same IP range is on the local network wire. See the
    "Proxy-ARP-Subnet" mini-howto

    -rw-rw-r-- 1 gferg ldp 19372 Aug 28 2000 Proxy-ARP-Subnet

    for additional details.

    Old guy

  7. Re: ARP packets usage

    On Thu, 25 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <1193343456.688012.213050@i13g2000prf.googlegroups. com>,
    Philippe Signoret wrote:

    >> NOTE: Posting from groups.google.com (or some web-forums) dramatically
    >> reduces the chance of your post being seen. Find a real news server.


    >Which one can I use for free?


    Some people have been using 'teranews.com' but this seems to be poorly
    administered, and is subject to substantial delays (and may be in a lot
    of killfiles as well - look at http://www.teranews.com). Another used is
    'aioe.org' with apparently better results (sorry - don't have a URL), and
    still another is motzarella.org (again - no URL). I offer no opinions
    either way. There is an alternative Usenet newsgroup "alt.free.newsservers"
    and another "alt.usenet.news-server-comparison" you may want to look at,
    but be well aware that they are infested with trolls.

    >> What network? What is on this network?


    >My home wireless network.


    If this is _only_ your own network, then yes - this is to high. What I
    would do would be to run a packet sniffer and see who is ARPing for who.
    I've never bothered using Ethereal (now called Wireshark), as it puts
    to MUCH information in the "User Friendly" display, which is quite useless
    for me. If you have 'tcpdump' installed, a suitable command would be

    /usr/sbin/tcpdump -n -i eth0 -x arp

    (though you'll probably have to run that as root). The output will look
    something like

    20:36:01.250000 arp who-has 192.168.1.102 tell 192.168.1.17
    0001 0800 0604 0001 0020 af57 d129 c0a8
    0111 0000 0000 0000 c0a8 0166

    The last four double-octets in the middle line (0020 af57 d129 c0a8)
    is the MAC address of the source (00:20:AF:571:29) and the first
    two octets of the IP address (c0a8 = 192.168). On the last line is
    the other two octets of the source IP address (0111 = 1.17 which makes
    the source address 192.168.1.17), the next three pairs are zeros,
    because this is the desired information (the MAC address of 192.168.1.102)
    and the last two pairs (c0a8 0166) are the IP address we are searching
    for "who is 192.168.1.102").

    20:36:01.260000 arp reply 192.168.1.102 is-at 08:0:20:c2:e3:14
    0001 0800 0604 0002 0800 20c2 e314 c0a8
    0166 0020 af57 d129 c0a8 0111

    There is the reply. Note that in the second and third lines, the source
    and destination MAC and IP addresses are swapped, because the reply is
    coming from 192.168.1.102 at 08:0:20:c2:e3:14, and is being sent to
    192.168.1.17 at 00:20:af:57:d1:29.

    >>> Is this a normal ARP packet percentage? It seems a bit high to me.


    >> Not enough information. The other question is what operating system
    >> are the hosts running? That may also have impact on the traffic.


    >Most hosts (5 of them) are running Windows XP, one Ubuntu Linux. Linux
    >and two Windows XP are wired, others are wireless.


    I don't use windoze, but windoze is EXTREMELY talkative, and wants to
    talk to every address it's ever heard of. What you may be seeing is
    windoze looking for hosts listed in shares.

    Old guy

  8. Re: ARP packets usage

    Moe Trin wrote:
    > On Thu, 25 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
    > article <4720f999$0$22312$ba620e4c@news.skynet.be>, goarilla wrote:
    >
    >> Moe Trin wrote:

    >
    >>> Fairly quiet - but without knowing _what_ you are looking at, it is
    >>> difficult to say if this is normal or not. For example, if you
    >>> are looking at a DSL connection, you are not likely to see any
    >>> mono-cast traffic (traffic to/from a single IP address) that is not
    >>> directed at your host. But you will _PROBABLY_ see all _broadcast_
    >>> traffic, where the router/switch does not know if "you" are the
    >>> destination or not.

    >
    >> little question don't routers split up broadcast domains ?

    >
    > Classic routers - your big boxes from Cisco, Foundry, and others,
    > that follow RFC1812 do not forward broadcasts - because the network
    > address ranges are different on the various interfaces. See sections
    > 5.3.4. and 5.3.5 et.seq. for details.
    >
    > 1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
    > (Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated
    > by RFC2644) (Status: PROPOSED STANDARD)
    >
    > The "routers" normally found in the home behave differently, because
    > they are not routers in the classic sense. In many cases, they are
    > doing port/IP translating, such that you have a non-routable (RFC1918)
    > address on your side, and can have multiple systems that appear on
    > the Internet as one. In other cases, they are behaving more like
    > Ethernet switches, separating traffic (collision domains) between the
    > ISP side and your system[s]. On Monday, you asked this question in
    > the thread "Do MAC addresses go to internet?", and in my response
    > (Message-Id: ) I suggested
    > trying to use a packet sniffer to see what's on your wires. Did this
    > not work?
    >


    i did not found any MAC adresses belonging to machines other than the ones
    that should be on the LAN so i guess i'm safe. but seriously i shouldn't
    have to take
    into account that some routers DON'T act like routers. Routers should be
    routers
    and conform to every letter in the rfc's

    >> and thus broadcasts from the WAN side shouldn't be forwarded to the LAN
    >> or does that in general only occurs in the reverse (eg from LAN -> WAN) ?

    >


    this was a dump question i know NO broadcasts should be forwarded
    and that direction is irrelevant, but i was phishing about the posters
    idea of router functionality.

    > The only time a "router" should forward broadcasts (other than DHCP
    > requests when the router is configured as a DHCP Relay Agent - see
    > RFC1542 et.seq.) is when it is not acting as a classic router per
    > RFC1812. ARP packets are not forwarded by such routers, because the
    > Ethernet concept doesn't need the "end" MAC address, but it DOES need
    > the MAC address of the "next hop". As far as ARP is concerned, the only
    > time an ARP request is forwarded is in Proxy-ARP where the "router" is
    > attempting to make it appear that a system on a separate interface but
    > using the same IP range is on the local network wire. See the
    > "Proxy-ARP-Subnet" mini-howto
    >
    > -rw-rw-r-- 1 gferg ldp 19372 Aug 28 2000 Proxy-ARP-Subnet
    >
    > for additional details.
    >
    > Old guy


    i've seen this behaviour (eg MAC next hop) in packets but i've never had
    somebody explain the reason for this so short and beautifully thanks

  9. Re: ARP packets usage

    On Fri, 26 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <4721c67f$0$29248$ba620e4c@news.skynet.be>, goarilla wrote:

    >Moe Trin wrote:


    >> The "routers" normally found in the home behave differently, because
    >> they are not routers in the classic sense. In many cases, they are
    >> doing port/IP translating, such that you have a non-routable (RFC1918)
    >> address on your side, and can have multiple systems that appear on
    >> the Internet as one. In other cases, they are behaving more like
    >> Ethernet switches, separating traffic (collision domains) between the
    >> ISP side and your system[s]. On Monday, you asked this question in
    >> the thread "Do MAC addresses go to internet?", and in my response
    >> (Message-Id: ) I suggested
    >> trying to use a packet sniffer to see what's on your wires. Did this
    >> not work?

    >
    >i did not found any MAC adresses belonging to machines other than the
    >ones that should be on the LAN so i guess i'm safe.


    From that particular problem - yes. I have three connections in my
    house, and all have "routers" with the manufacturers labels covered by
    a label from the telephone company - they sorta look like Speedstream
    Bridge/Modems from 'Efficient Networks', but I can't be sure. I most
    definitely see MAC addresses from other hardware.

    >but seriously i shouldn't have to take into account that some routers
    >DON'T act like routers. Routers should be routers and conform to every
    >letter in the rfc's


    Tell that to the marketing departments - both of the manufacturers such
    as Alcatel, Efficient Networks, Westell (and others), and to the ISP.
    Remember, we don't want to confuse the customers with big words such as
    'bridge' and 'switch' which have meanings normally associated with them
    from completely different venues.

    >> ARP packets are not forwarded by such routers, because the Ethernet
    >> concept doesn't need the "end" MAC address, but it DOES need the MAC
    >> address of the "next hop". As far as ARP is concerned, the only
    >> time an ARP request is forwarded is in Proxy-ARP where the "router"
    >> is attempting to make it appear that a system on a separate interface
    >> but using the same IP range is on the local network wire.


    >i've seen this behaviour (eg MAC next hop) in packets but i've never had
    >somebody explain the reason for this so short and beautifully thanks


    People tend to forget that Ethernet links can carry a large number of
    protocols besides IP, or even that there are different types of Ethernet
    frames to begin with. _ALL_ packets on Ethernet links are using MAC
    addresses for source and destination. Look at the two octet 'Type'
    field (counting from zero, octets 12 and 13 in RFC0894 frames, 20 and
    21 in RFC1042 frames). While this allows for 65536 types, only roughly
    180 are defined (http://www.iana.org/assignments/ethernet-numbers).
    This basically rules out moving packets over Ethernet by any other
    means. The protocol at this level is only concerned with moving
    packets between "directly" connected (I quote the word because the
    media between the hosts is not important - this could be wire, fiber,
    wireless of some form, or wet string) hosts. Hosts not "directly"
    connected are handled by higher levels in the networking stack, no
    matter if they packet contains an IP datagram, some form of Appletalk,
    Novell IPX, or some ancient thing like Banyan Vines, or Xerox XNS
    (all of which are routable, given appropriately configured routers).

    Old guy

  10. Re: ARP packets usage

    Philippe Signoret wrote:
    > I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    > These are the results I got:


    > -------------------
    > Total 503


    > TCP 353 70.2%
    > UDP 15 3.0%
    > ICMP 13 2.6%
    > ARP 122 24.3%


    > Running time: 00:01:49
    > --------------------


    > Is this a normal ARP packet percentage? It seems a bit high to me.


    I don't know about the percentages, but will point-out that ARP
    requests, since they are sent as broadcast frames, will be seen by all
    stations in the broadcast domain. TCP, UDP and most ICMP will be
    point-to-point, so unless you are sniffing on the equivalent of a hub
    rather than a switch you may not be getting the full story about what
    is on your network overall.

    rick jones
    --
    The glass is neither half-empty nor half-full. The glass has a leak.
    The real question is "Can it be patched?"
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  11. Re: ARP packets usage

    On Oct 30, 2:53 am, Rick Jones wrote:
    > Philippe Signoret wrote:
    > > I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    > > These are the results I got:
    > > -------------------
    > > Total 503
    > > TCP 353 70.2%
    > > UDP 15 3.0%
    > > ICMP 13 2.6%
    > > ARP 122 24.3%
    > > Running time: 00:01:49
    > > --------------------
    > > Is this a normal ARP packet percentage? It seems a bit high to me.

    >
    > I don't know about the percentages, but will point-out that ARP
    > requests, since they are sent as broadcast frames, will be seen by all
    > stations in the broadcast domain. TCP, UDP and most ICMP will be
    > point-to-point, so unless you are sniffing on the equivalent of a hub
    > rather than a switch you may not be getting the full story about what
    > is on your network overall.
    >
    > rick jones
    > --
    > The glass is neither half-empty nor half-full. The glass has a leak.
    > The real question is "Can it be patched?"
    > these opinions are mine, all mine; HP might not want them anyway...
    > feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...


    Sure you are right man, For the person that asked about ARP from the
    beginning , You can work without ARP packets and there are ways to
    disable it and I do this some times for security reasons so no body
    can sniff inside the LAN, Just configure your machines with static ARP
    and you hosts will not need to send ARP packets anymore, And I do this
    also inside the insecure networks to disable the working of netcut and
    the other applications that some dumb users use to bother the other
    users and cut there Internet connections, If you need help how to set
    the static ARP entries on both Windows and Linux just ask and it's
    very easy and you will do it just one time only and the hosts will
    repeat this when booting so later you will not have to reconfigure
    anythings but 1 case, If you later changed the IPS or the LAN cards of
    your hosts.


  12. Re: ARP packets usage

    I'm not sure that would be the best idea, since Three of the six
    computers are laptops with dynamic IPs.

    Thanks,
    Philippe

    On Oct 30, 5:23 am, habibielwa7id wrote:
    > On Oct 30, 2:53 am, Rick Jones wrote:
    >
    >
    >
    > > Philippe Signoret wrote:
    > > > I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    > > > These are the results I got:
    > > > -------------------
    > > > Total 503
    > > > TCP 353 70.2%
    > > > UDP 15 3.0%
    > > > ICMP 13 2.6%
    > > > ARP 122 24.3%
    > > > Running time: 00:01:49
    > > > --------------------
    > > > Is this a normal ARP packet percentage? It seems a bit high to me.

    >
    > > I don't know about the percentages, but will point-out that ARP
    > > requests, since they are sent as broadcast frames, will be seen by all
    > > stations in the broadcast domain. TCP, UDP and most ICMP will be
    > > point-to-point, so unless you are sniffing on the equivalent of a hub
    > > rather than a switch you may not be getting the full story about what
    > > is on your network overall.

    >
    > > rick jones
    > > --
    > > The glass is neither half-empty nor half-full. The glass has a leak.
    > > The real question is "Can it be patched?"
    > > these opinions are mine, all mine; HP might not want them anyway...
    > > feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

    >
    > Sure you are right man, For the person that asked about ARP from the
    > beginning , You can work without ARP packets and there are ways to
    > disable it and I do this some times for security reasons so no body
    > can sniff inside the LAN, Just configure your machines with static ARP
    > and you hosts will not need to send ARP packets anymore, And I do this
    > also inside the insecure networks to disable the working of netcut and
    > the other applications that some dumb users use to bother the other
    > users and cut there Internet connections, If you need help how to set
    > the static ARP entries on both Windows and Linux just ask and it's
    > very easy and you will do it just one time only and the hosts will
    > repeat this when booting so later you will not have to reconfigure
    > anythings but 1 case, If you later changed the IPS or the LAN cards of
    > your hosts.




  13. Re: ARP packets usage

    On Oct 30, 3:59 pm, Philippe Signoret
    wrote:
    > I'm not sure that would be the best idea, since Three of the six
    > computers are laptops with dynamic IPs.
    >
    > Thanks,
    > Philippe
    >
    > On Oct 30, 5:23 am, habibielwa7id wrote:
    >
    > > On Oct 30, 2:53 am, Rick Jones wrote:

    >
    > > > Philippe Signoret wrote:
    > > > > I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    > > > > These are the results I got:
    > > > > -------------------
    > > > > Total 503
    > > > > TCP 353 70.2%
    > > > > UDP 15 3.0%
    > > > > ICMP 13 2.6%
    > > > > ARP 122 24.3%
    > > > > Running time: 00:01:49
    > > > > --------------------
    > > > > Is this a normal ARP packet percentage? It seems a bit high to me.

    >
    > > > I don't know about the percentages, but will point-out that ARP
    > > > requests, since they are sent as broadcast frames, will be seen by all
    > > > stations in the broadcast domain. TCP, UDP and most ICMP will be
    > > > point-to-point, so unless you are sniffing on the equivalent of a hub
    > > > rather than a switch you may not be getting the full story about what
    > > > is on your network overall.

    >
    > > > rick jones
    > > > --
    > > > The glass is neither half-empty nor half-full. The glass has a leak.
    > > > The real question is "Can it be patched?"
    > > > these opinions are mine, all mine; HP might not want them anyway...
    > > > feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

    >
    > > Sure you are right man, For the person that asked about ARP from the
    > > beginning , You can work without ARP packets and there are ways to
    > > disable it and I do this some times for security reasons so no body
    > > can sniff inside the LAN, Just configure your machines with static ARP
    > > and you hosts will not need to send ARP packets anymore, And I do this
    > > also inside the insecure networks to disable the working of netcut and
    > > the other applications that some dumb users use to bother the other
    > > users and cut there Internet connections, If you need help how to set
    > > the static ARP entries on both Windows and Linux just ask and it's
    > > very easy and you will do it just one time only and the hosts will
    > > repeat this when booting so later you will not have to reconfigure
    > > anythings but 1 case, If you later changed the IPS or the LAN cards of
    > > your hosts.


    Ok man, We just tried to help, And I think now you know more about
    ARP, And this only enough, It's very nice when we learn new things
    every day.
    Regards


  14. Re: ARP packets usage

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    habibielwa7id wrote:

    [snipped]

    > Sure you are right man, For the person that asked about ARP from the
    > beginning , You can work without ARP packets and there are ways to
    > disable it and I do this some times for security reasons so no body
    > can sniff inside the LAN, Just configure your machines with static ARP
    > and you hosts will not need to send ARP packets anymore, And I do this
    > also inside the insecure networks to disable the working of netcut and
    > the other applications that some dumb users use to bother the other
    > users and cut there Internet connections, If you need help how to set
    > the static ARP entries on both Windows and Linux just ask and it's
    > very easy and you will do it just one time only and the hosts will
    > repeat this when booting so later you will not have to reconfigure
    > anythings but 1 case, If you later changed the IPS or the LAN cards of
    > your hosts.


    Nice idea, to prevent sniffing, and ARP poisoning disabling ARP altogether is
    cool. And let machines have static ARPs about its neighbours. But I don't think
    it will work on unmanaged switch. Or broadcasts and multicasts (since couple of
    unmanaged switches treat multicast as broadcast) have to be banned altogether.
    What do you think, what else is needed to have this kind of setup working on an
    unmanaged switch.

    TIA
    - --
    Ashish Shukla
    http://wahjava.wordpress.com/
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQFHKNJfHy+EEHYuXnQRAuX9AKDhTwkLMKZP1GZX6brVrQ nbAWllmQCfYbtY
    +uYCKvcSwBmzmR+mZ2dBAbo=
    =fJI4
    -----END PGP SIGNATURE-----

  15. Re: ARP packets usage

    On Oct 24, 4:37 pm, Philippe Signoret
    wrote:
    > I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    > These are the results I got:
    >
    > -------------------
    > Total 503
    >
    > TCP 353 70.2%
    > UDP 15 3.0%
    > ICMP 13 2.6%
    > ARP 122 24.3%
    >
    > Running time: 00:01:49
    > --------------------
    >
    > Is this a normal ARP packet percentage? It seems a bit high to me.
    >
    > Thanks,
    > Philippe Signoret West


    It seems somewhat reasonable, because all of your TCP activity should
    require a substantial amount of address resolution


  16. Re: ARP packets usage

    In article <1194489659.099456.200960@57g2000hsv.googlegroups.c om>, Steven Borrelli wrote:
    >On Oct 24, 4:37 pm, Philippe Signoret
    >wrote:
    >> I ran Ethereal and captures all packets for 1 minute and 49 seconds.
    >> These are the results I got:
    >>
    >> -------------------
    >> Total 503
    >>
    >> TCP 353 70.2%
    >> UDP 15 3.0%
    >> ICMP 13 2.6%
    >> ARP 122 24.3%
    >>
    >> Running time: 00:01:49
    >> --------------------
    >>
    >> Is this a normal ARP packet percentage? It seems a bit high to me.
    >>
    >> Thanks,
    >> Philippe Signoret West

    >
    >It seems somewhat reasonable, because all of your TCP activity should
    >require a substantial amount of address resolution


    Seems way too high.

    --
    The most powerful Usenet tool you have ever heard of.

    NewsMaestro v. 4.0.8 has been released.

    * Several nice improvements and bug fixes.

    Note: In some previous releases some class files were missing.
    As a result, the program would not run.
    Sorry for the inconvenience.

    Web page:
    http://newsmaestro.sourceforge.net/

    Download page:
    http://newsmaestro.sourceforge.net/D...nformation.htm

    Send any feedback, ideas, suggestions, test results to
    newsmaestroinfo \at/ mail.ru.

    Your personal info will not be released and your privacy
    will be honored.

  17. Re: ARP packets usage

    On Oct 31, 9:07 pm, Ashish wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > habibielwa7id wrote:
    >
    > [snipped]
    >
    > > Sure you are right man, For the person that asked about ARP from the
    > > beginning , You can work without ARP packets and there are ways to
    > > disable it and I do this some times for security reasons so no body
    > > can sniff inside the LAN, Just configure your machines with static ARP
    > > and you hosts will not need to send ARP packets anymore, And I do this
    > > also inside the insecure networks to disable the working of netcut and
    > > the other applications that some dumb users use to bother the other
    > > users and cut there Internet connections, If you need help how to set
    > > the static ARP entries on both Windows and Linux just ask and it's
    > > very easy and you will do it just one time only and the hosts will
    > > repeat this when booting so later you will not have to reconfigure
    > > anythings but 1 case, If you later changed the IPS or the LAN cards of
    > > your hosts.

    >
    > Nice idea, to prevent sniffing, and ARP poisoning disabling ARP altogether is
    > cool. And let machines have static ARPs about its neighbours. But I don't think
    > it will work on unmanaged switch. Or broadcasts and multicasts (since couple of
    > unmanaged switches treat multicast as broadcast) have to be banned altogether.
    > What do you think, what else is needed to have this kind of setup working on an
    > unmanaged switch.
    >
    > TIA
    > - --
    > Ashish Shuklahttp://wahjava.wordpress.com/
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.7 (GNU/Linux)
    >
    > iD8DBQFHKNJfHy+EEHYuXnQRAuX9AKDhTwkLMKZP1GZX6brVrQ nbAWllmQCfYbtY
    > +uYCKvcSwBmzmR+mZ2dBAbo=
    > =fJI4
    > -----END PGP SIGNATURE-----


    -I am not sure if the unmanaged switches treat multicast as broadcast,
    And if so it will not treat unicast like broadcast or it will act as a
    normal hub and not a switch. Some switches accept an option to do so
    if you want to sniff to debug for example a problem inside the LAN.
    But the problem of the unmanaged switches is it can be fooled with ARP
    poisoning, And it isn't the case with the managed switch which you can
    configure it to map every port to a specific mac address. If anybody
    don't know how the netcut application works it's easy, Netcut version
    1 was attacking the ARP cache of your host to put in it a faked mac
    address to your gateway and since ARP protocol isn't secured enough so
    your host will accept the faked packet and your host will not reach
    it's gateway, The solution was simple, And it's just to define the mac
    address of your gateway into your PC ARP cache statically like
    in Windows case arp -s 192.168.1.1 00-11-33-44-55-66
    Linux case arp -s 192.168.1.1 00:11:22:33:44:55:66
    -But Netcut version 2 complicated the task when people was able to
    fight it's attack and it poisons in two ways, It poisons the client
    ARP cache to give it a faked gateway mac address and the gateway also
    so it has a faked mac address to your host, so your gateway will not
    be able to reach your host and vice versa, And so the only solution
    here is to configure both sides with static ARP entries, Or use
    managed switches and use the static ARP entries feature of it, And say
    good bye to any ARP poisoning attack.
    for sure no body will be able to poison your connection inside the LAN
    if he tried to use any application that sniff by using ARP poisoning
    if you use static ARP entries, But to be more accurate there is way to
    do so but with some more capable sniffers that depend on ARP and I
    tried many of it and it use similar techniques, So the best solution
    here is to use configured switches with every port has it's static mac
    address, By the way there is ways to define if any host inside the LAN
    do any kind of ARP poisoning or attacks and later we can talk about
    it, And beware that some Windows viruses poison the LAN with a faked
    mac address to halt the whole LAN and prevent any host from reaching
    it's gateway and the Internet and if you monitor the LAN at this time
    you will find that there is 2 gateways inside the LAN and not only 1,
    It's solution is to use static ARP on both sides, your gateway and
    your clients or to use configured switches,
    I think you didn't ask about all what I said but I thought may be
    anybody use this information in any good way, My English isn't perfect
    yet but I try to do my best.
    Regards,


+ Reply to Thread