Skip to content

DELL R410远程管理ip引起的arp问题

arpwatch 命令: 跟踪以太网地址和IP地址配对情况,通过E-mail的形式报告当前的变化。arpwatch使用pcap来监听本网卡和ARP数据包
参数

-d 输出调试信息
-N 使报告不能正常进行
-f<文件> 监听的ARP记录
-i<网卡接口> 指定监听的网卡
-n 指定附加的本地网络
-r<文件> 不从网络上监听ARP信息,而是从文件中读取ARP的记录信息
-u 指定用户和用户组
-e 发送邮件给指定用户,非默认的root用户
-s 指定用户名作为返回地址,而不是默认的用户root

【系统报告信息】

ethernet broadcast :主机的MAC地址是广播地址
ip broadcast :主机的IP地址是广播地址
bogon :源IP地址不是本地子网地址
ethernet mismatch :源MAC地址与ARP数据包里面的地址不匹配
reused old ethernet address :MAC 地址发送变化
suppressed DECnet flip flop :禁止“flip flop”报告

本地的内网为192.168.0.0/24
服务器dell r410
系统centos5.x centos6.x

开启arpwatch
#arpwatch

#tail -f /var/log/messages

Apr 1 11:58:06 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:58:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62
Apr 1 11:58:23 c1g arpwatch: bogon 192.168.0.283 83:22:d6:a1:ad:31
Apr 1 11:58:29 c1g arpwatch: new station 220.188.155.1 0:23:e2:e1:ff:82
Apr 1 11:58:29 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8
Apr 1 11:58:33 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:58:37 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:58:41 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62
Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

bogon 表示源IP地址不是本地子网地址
多台机器日志中都可以查到多个mac地址占用192.168.0.120
192.168.0.120这个ip我并没有配过
很奇怪的是mac就固定的这几个,不像是arp攻击

Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8
Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

仔细对比的日志中的mac地址和现用的eth1相差一位;
联想到手上的一台r410启动时好像出现过192.168.0.120这个ip;
查了下资料dell的远程管理ip地址默认为192.168.0.120;
立马测试了下,在启动到SAS后,按ctrl+c进入IP管理disabled此项
再启动后就少了这个mac地址,证明有效

Posted in IDC, Linux 命令, 安全.

Tagged with , , , .

By C1G 2012/04/10

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion



Some HTML is OK

or, reply to this post via trackback.

« »