Skip to content


DELL R410远程管理ip引起的arp问题

arpwatch 命令: 跟踪以太网地址和IP地址配对情况,通过E-mail的形式报告当前的变化。arpwatch使用pcap来监听本网卡和ARP数据包
参数

-d 输出调试信息
-N 使报告不能正常进行
-f<文件> 监听的ARP记录
-i<网卡接口> 指定监听的网卡
-n 指定附加的本地网络
-r<文件> 不从网络上监听ARP信息,而是从文件中读取ARP的记录信息
-u 指定用户和用户组
-e 发送邮件给指定用户,非默认的root用户
-s 指定用户名作为返回地址,而不是默认的用户root

【系统报告信息】

ethernet broadcast :主机的MAC地址是广播地址
ip broadcast :主机的IP地址是广播地址
bogon :源IP地址不是本地子网地址
ethernet mismatch :源MAC地址与ARP数据包里面的地址不匹配
reused old ethernet address :MAC 地址发送变化
suppressed DECnet flip flop :禁止“flip flop”报告

本地的内网为192.168.0.0/24
服务器dell r410
系统centos5.x centos6.x

开启arpwatch
#arpwatch

#tail -f /var/log/messages

Apr 1 11:58:06 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:58:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62
Apr 1 11:58:23 c1g arpwatch: bogon 192.168.0.283 83:22:d6:a1:ad:31
Apr 1 11:58:29 c1g arpwatch: new station 220.188.155.1 0:23:e2:e1:ff:82
Apr 1 11:58:29 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8
Apr 1 11:58:33 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:58:37 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:58:41 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62
Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

bogon 表示源IP地址不是本地子网地址
多台机器日志中都可以查到多个mac地址占用192.168.0.120
192.168.0.120这个ip我并没有配过
很奇怪的是mac就固定的这几个,不像是arp攻击

Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8
Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

仔细对比的日志中的mac地址和现用的eth1相差一位;
联想到手上的一台r410启动时好像出现过192.168.0.120这个ip;
查了下资料dell的远程管理ip地址默认为192.168.0.120;
立马测试了下,在启动到SAS后,按ctrl+c进入IP管理disabled此项
再启动后就少了这个mac地址,证明有效

Posted in IDC, Linux 命令, 安全.

Tagged with , , , .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. 如何解决服务器上抓到异常arp包? - 凹凸曼博客 linked to this post on 2012/07/23

    […] 参考资料:http://blog.c1gstudio.com/archives/1373 […]



Some HTML is OK

or, reply to this post via trackback.