Re: arp who-has? tell?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ron wrote:
Hello,

My desktop computer, running fedora 8, software firewall on, selinux
on, dynamic dns, my ip adress is 98.203.6.135,
[email protected] is connected directly to
Comcast via a cable modem. I recently changed modems due to an
electrical storm. I noticed the new modems pc activity light blinks
continuously. This did not happen with the old modem. I read an
article about tcp dump and tried # /usr/sbin/tcpdump -nS > tcpdump.log
Here is part of tcpdump.log:

08:15:47.984724 arp who-has 71.206.79.141 tell 71.206.76.1
08:15:47.985081 arp who-has 98.203.1.140 tell 98.203.0.1
08:15:48.160197 arp who-has 76.110.184.13 tell 76.110.184.1
08:15:48.208245 arp who-has 66.229.170.141 tell 66.229.170.1
08:15:48.280100 arp who-has 98.203.0.91 tell 98.203.0.1
08:15:48.280552 arp who-has 98.203.0.92 tell 98.203.0.1
08:15:48.280868 arp who-has 98.203.0.93 tell 98.203.0.1
08:15:48.281164 arp who-has 98.203.0.94 tell 98.203.0.1
08:15:48.281591 arp who-has 98.203.0.95 tell 98.203.0.1
08:15:48.281998 arp who-has 98.203.0.96 tell 98.203.0.1
08:15:48.282696 arp who-has 98.203.0.97 tell 98.203.0.1
08:15:48.283852 arp who-has 98.203.0.99 tell 98.203.0.1
08:15:48.284338 arp who-has 98.203.0.100 tell 98.203.0.1
08:15:48.285053 arp who-has 98.203.0.101 tell 98.203.0.1
08:15:48.285399 arp who-has 98.203.2.181 tell 98.203.0.1
08:15:48.285699 arp who-has 98.203.0.102 tell 98.203.0.1
08:15:48.286154 arp who-has 98.203.0.103 tell 98.203.0.1
08:15:48.287382 arp who-has 98.203.0.105 tell 98.203.0.1
08:15:48.287780 arp who-has 98.203.0.106 tell 98.203.0.1
08:15:48.289626 arp who-has 98.203.0.109 tell 98.203.0.1
08:15:48.292039 arp who-has 65.34.210.47 tell 65.34.210.1
08:15:48.492036 arp who-has 76.110.191.29 tell 76.110.184.1
08:15:48.513075 arp who-has 66.229.170.86 tell 66.229.170.1
08:15:48.513366 IP 98.203.6.135.33433 > 68.87.74.162.domain: 63866+
PTR? 86.170.229.66.in-addr.arpa. (44)
08:15:48.552057 arp who-has 98.203.1.178 tell 98.203.0.1
08:15:48.567617 IP 68.87.74.162.domain > 98.203.6.135.33433: 63866 1/0/0 (93)
08:15:48.676102 arp who-has 66.229.170.31 tell 66.229.170.1
08:15:48.733381 arp who-has 98.203.3.181 tell 98.203.0.1
08:15:48.774378 arp who-has 76.110.185.155 tell 76.110.184.1
08:15:49.080792 arp who-has 71.206.77.81 tell 71.206.76.1
08:15:49.118336 arp who-has 98.46.109.240 tell 98.46.109.1
08:15:49.118731 IP 98.203.6.135.33433 > 68.87.74.162.domain: 184+ PTR?
240.109.46.98.in-addr.arpa. (44)
08:15:49.134683 IP 68.87.74.162.domain > 98.203.6.135.33433: 184
NXDomain 0/1/0 (132)
08:15:49.160092 arp who-has 76.110.187.17 tell 76.110.184.1
08:15:49.208825 arp who-has 76.110.189.58 tell 76.110.184.1
08:15:49.317184 arp who-has 65.34.210.47 tell 65.34.210.1
08:15:49.413014 arp who-has 98.203.2.162 tell 98.203.0.1
08:15:49.589418 arp who-has 76.110.184.13 tell 76.110.184.1
08:15:49.592161 arp who-has 98.203.5.98 tell 98.203.0.1
08:15:49.635103 arp who-has 76.110.185.232 tell 76.110.184.1
08:15:49.752062 arp who-has 65.34.211.67 tell 65.34.210.1
08:15:49.872395 arp who-has 98.203.3.153 tell 98.203.0.1
08:15:50.091724 arp who-has 98.203.0.111 tell 98.203.0.1
08:15:50.093236 arp who-has 98.203.0.114 tell 98.203.0.1
08:15:50.094008 arp who-has 98.203.0.115 tell 98.203.0.1
08:15:50.095170 arp who-has 98.203.0.117 tell 98.203.0.1
08:15:50.098236 arp who-has 98.203.0.118 tell 98.203.0.1
08:15:50.098577 arp who-has 98.203.0.120 tell 98.203.0.1
08:15:50.098876 arp who-has 98.203.0.121 tell 98.203.0.1
08:15:50.099178 arp who-has 98.203.0.122 tell 98.203.0.1
08:15:50.099480 arp who-has 98.203.0.123 tell 98.203.0.1
08:15:50.101209 arp who-has 98.203.0.125 tell 98.203.0.1
08:15:50.101561 arp who-has 98.203.0.126 tell 98.203.0.1
08:15:50.174306 arp who-has 76.110.186.255 tell 76.110.184.1
08:15:50.174588 IP 98.203.6.135.33433 > 68.87.74.162.domain: 32460+
PTR? 255.186.110.76.in-addr.arpa. (45)
08:15:50.190267 arp who-has 76.110.184.13 tell 76.110.184.1
08:15:50.206890 arp who-has 98.203.0.39 tell 98.203.0.1
08:15:50.220917 arp who-has 71.206.78.27 tell 71.206.76.1
08:15:50.224216 arp who-has 66.229.170.254 tell 66.229.170.1
08:15:50.228505 IP 68.87.74.162.domain > 98.203.6.135.33433: 32460 1/0/0 (95)
08:15:50.228984 IP 98.203.6.135.33433 > 68.87.74.162.domain: 22637+
PTR? 254.170.229.66.in-addr.arpa. (45)
08:15:50.281247 IP 68.87.74.162.domain > 98.203.6.135.33433: 22637 1/0/0 (95)
08:15:50.282044 arp who-has 76.110.189.110 tell 76.110.184.1
08:15:50.364382 arp who-has 98.46.109.90 tell 98.46.109.1
08:15:50.392168 arp who-has 76.110.189.56 tell 76.110.184.1
08:15:50.531449 arp who-has 98.203.7.246 tell 98.203.0.1
08:15:50.538798 arp who-has 98.35.105.247 tell 98.35.105.1
08:15:50.539099 IP 98.203.6.135.33433 > 68.87.74.162.domain: 62320+
PTR? 247.105.35.98.in-addr.arpa. (44)
08:15:50.539324 IP 98.203.6.135.traceroute > 68.87.74.162.domain:
3108+ PTR? 247.105.35.98.in-addr.arpa. (44)
08:15:50.568403 arp who-has 71.206.79.143 tell 71.206.76.1
08:15:50.591548 arp who-has 66.229.170.84 tell 66.229.170.1
08:15:50.593753 IP 68.87.74.162.domain > 98.203.6.135.33433: 62320
NXDomain 0/1/0 (132)

Is this normal? What does all this mean?
Imagine, you want to send me a letter. You stick it into an envelope and
write my address, "Greenmount, Western Australia, Australia" on the envelop.
Let us suppose you leave near Plains, Georgia, USA. You pop the letter
in the mail, and the local post office sorts it into the bag for Plains,
so now its external address might read "Plains, Georgia, USA."
The Plains PO takes it out of that bag, and pops it into another, maybe
addressed to San Franscisco International Mail Exchange.
SF takes it out and pops it into a bag that goes into the container for
Sydney, Australia.
And so it goes on to Perth, to Midland and Midland delivers it to my
letter box.
In a similar manner, network gets wrapped in envelopes (packets)
suitable for the next stage of the journey.
IP packets, that encapsulate UDP, TCP and some other IP protocols don't
go directly on the wire, they have to be wrapped in some lower-level
protocol's packets.
On an ordinary LAN, that's most probably ethernet packets.

When my desktop computer, IP address 192.168.9.131 wants to send IP traffic to another, say 192.168.9.4, then it sends out an _ethernet_ packet saying, in effect, "Oi, anyone got 192.168.9.4 -- tell 192.168.9.131 about it."
The ethernet packet is addressed to the ethernet broadcast address, and
its from the address contained in my NIC. You can find yours with the
ifconfig command.
If someone has 192.168.9.4, it sends back a packet addressed to my NIC
identifying itself, and then
1. I note it down in my notepad (but it's vanishing ink, it doesn't keep
well)
2. I send my IP traffic.

This sort of thing occurs over each section of the path across the Internet, with the IP packet being wrapped in whatever kind of packaging appropriate for the next stage.
You should be seeing broadcast ethernet traffic and traffic to/from
yourself. Any more and I'd wonder about security.


--

Cheers
John

-- spambait
[email protected]  [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux