ARP requests for IP address 0.0.0.0

ARP requests for IP address 0.0.0.0
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
ARP requests for IP address 0.0.0.0 chrismc911 01-19-2007
Posted by on January 19, 2007, 3:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

we are facing strange behaviour on our small network with a system
sending out ARP requests now and then asking to resolve the IP address
0.0.0.0.

According to the first three bytes of the MAC address (00-14-51) it is
an Apple machine.
Does anyone have an explanation for this behaviour?

Thanks a lot,
Chris


Posted by Ertugrul Soeylemez on January 19, 2007, 8:00 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
chrismc911@hotmail.com (07-01-19 12:27:39):

> we are facing strange behaviour on our small network with a system
> sending out ARP requests now and then asking to resolve the IP address
> 0.0.0.0.
>
> According to the first three bytes of the MAC address (00-14-51) it is
> an Apple machine.
> Does anyone have an explanation for this behaviour?

Yes. The address "0.0.0.0" is the "any" address. That means, "any"
host should answer that request. The MAC address you're seeing is some
random MAC address from your network (most likely).


Regards,
E.S.

Posted by on January 20, 2007, 10:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

thanks a lot for your answer.

> Yes. The address "0.0.0.0" is the "any" address. That means, "any"
> host should answer that request. The MAC address you're seeing is some
> random MAC address from your network (most likely).

I am sorry but I got something wrong in my post. Had a look at the logs
again and the ARP requests comes from 0.0.0.0 and a valid destinatin IP
which I think is the IP of the host sending the request out.

I think this packet is sent when the host comes up. Something like
Windows sending out an unsolicited ARP reply to its own IP address to
check if another host has the IP address assigned.

Regards,
Chris


Posted by Ertugrul Soeylemez on January 20, 2007, 1:18 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
chrismc911@hotmail.com (07-01-20 07:55:51):

> > Yes. The address "0.0.0.0" is the "any" address. That means, "any"
> > host should answer that request. The MAC address you're seeing is
> > some random MAC address from your network (most likely).
>
> I am sorry but I got something wrong in my post. Had a look at the
> logs again and the ARP requests comes from 0.0.0.0 and a valid
> destinatin IP which I think is the IP of the host sending the request
> out.
>
> I think this packet is sent when the host comes up. Something like
> Windows sending out an unsolicited ARP reply to its own IP address to
> check if another host has the IP address assigned.

In that case, the packet is probably not a request, but rather a reply,
and the _destination_ IP address is 0.0.0.0. That would make sense, and
it would mean that the particular machine is just distributing its MAC
address into the network.


Regards,
E.S.

Posted by on January 21, 2007, 7:40 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

> In that case, the packet is probably not a request, but rather a reply,
> and the _destination_ IP address is 0.0.0.0. That would make sense, and
> it would mean that the particular machine is just distributing its MAC
> address into the network.

the packet looks as follows:

Ethernet:
source mac 00-14-51-...
dest mac ff-ff-ff-ff-ff-ff
type 0x806

Arp:
type: request
source ip 0.0.0.0
dest ip 192.168.182.22
source mac 00-14-51-...
dest mac 00-00-00-00-00-00

So it is a valid arp request. The MAC address 00-14-51 fits on the ip
address 192.168.182.22 so it seemes to be an ip-mac-mapping
announcement from 192.168.182.22, but in an odd way.

Regards,
Chris


Similar ThreadsPosted
strange requests sent to my WWW April 12, 2006, 4:06 pm
massive port 1580 requests May 13, 2004, 3:48 pm
Use How to use the SAME Key for another eMail address ? September 22, 2005, 7:31 am
Packaging for MAC address ? April 9, 2007, 10:00 am
How the Chicom got my IP address??? June 5, 2008, 7:08 pm
IP address on my volume control November 13, 2004, 9:56 pm
How reliable is locking MAC address for Wi-Fi router? December 2, 2004, 1:00 pm
google groups shows everyone your ip address? January 6, 2006, 6:53 pm
SMAC 2.0 is released! MAC Address Spoofer May 18, 2006, 9:42 pm

The site map in XML format XML site map

Contact Us | Privacy Policy