11

We're seeing some suspicious network activity, and when I was trying to see if it was one particular server of ours I ran a Wireshark trace. I noted a lot of ARP packets asking who has x.x.x.x, but all being told to tell different addresses. In the past I've only seen the "tell" to be a single host - for example a DHCP server.

As you can see from the screenshot, there are only a few IP's being asked for, but the system to tell varies a lot. It's like all devices on the network are trying to find out who 10.10.0.40 (and a couple of others) is.

enter image description here

Cylindric
  • 1,127
  • 5
  • 24
  • 45
  • So what's at 10.10.0.40? – Michael Hampton Jun 04 '13 at 16:33
  • 1
    Giving away a list of MAC addresses of people's machines without asking for their permission is a felony in some countries. And it's not a good idea anyway. – BatchyX Jun 04 '13 at 16:59
  • It seems strange to me that (at least) most of the systems repeat their requests after such a short time. Is the target system down? You may filter for the ARP traffic only. – Hauke Laging Jun 04 '13 at 17:40
  • 6
    @BatchyX, citation needed. If that is a felony it is a stupid one. For the most part mac addresses do not leave the local network. If I give you my mac address (`00:0d:b9:24:78:f5`) there is nothing particularly useful you can do with it. – Zoredache Jun 04 '13 at 17:56
  • 2
    @Zoredache Funny, that was my MAC too, but then I changed it back. – Captain Giraffe Jun 04 '13 at 21:23
  • @Zoredache: In my country, it's even a felony to keep a list of them without asking the authorities for permission (art 226-16), and publishing them can put you to jail for 3 year (5 if it was deliberate). And the only reason MAC addresses do not leave the local network, is that when they do, people get pissed off and then someone designs protocols to avoid it (ever head of IPv6 privacy extensions?). And if those mac comes from personal laptops, you can identify people when they move. And let's not mention wireless. – BatchyX Jun 04 '13 at 22:18
  • Let's just say I randomised them all for the sake of example, and leave it at that. – Cylindric Jun 05 '13 at 08:07
  • Well your randomized example uses globally unique addresses. You should use locally administered addresses when generating them randomly. – BatchyX Jun 07 '13 at 07:39
  • 2
    Luck of the random draw. Pure coincidence that they look like real MACs. Doesn't matter anyway, I'm not in a territory where this matters. – Cylindric Jun 07 '13 at 09:40

3 Answers3

9

This is normal, especially if whatever at 10.10.0.40 is turned off or disconnected. For example, if 10.10.0.40 is a DNS server and everyone is configured to use it as their primary DNS server then you will get a lot of machines asking for that address. But since it's not on, they will ask a lot and get no response.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • Most definitely the case, as some MAC addresses do more than one query. – BatchyX Jun 04 '13 at 17:07
  • 4
    I just checked, and .40 belongs to a printer that hasn't been here since before I started. I guess everyone's machines still have that printer mapped, and Windows is constantly trying to find it. – Cylindric Jun 05 '13 at 08:08
4

That doesn't look out of the ordinary to me, assuming that your 10.10.0.40 address belongs to a sever / printer / other shared resource and your users are on the same subnet & switch.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
1

As suggested by Tim Brigham, this is not out of the ordinary. The devices are doing ARP requests to get the MAC address (layer 2 address) for the 10.10.0.40 address. By having the MAC address, the hosts will be able to connect to it directly, without having to include a Layer3 hop.

For example, if all hosts are on the same subnet and same switch, the machines can connect to 10.10.0.40 without going to a router first (which is necessary for connections on a different network).

emynd
  • 226
  • 1
  • 3