Don't know that Am I really under this attack or not, eSet (ESS 5.0) several times is reporting this to me. What I should mention are :
Q) Am I under attack or this could be just some IP conflicts ? If so How to Prevent or resolve this issue ? *** Which logs is needed tell me to upload and provide a link please help me resolving this Logs : Eset Logs :
WireShark Logs : ( Just a piece )
asked 09 Sep '12, 03:38 SkyGator |
2 Answers:
@hansangb, you are right. The ESET message is just a false positive, triggered by two devices using the same IP address (192.168.1.2). @SkyGator: If it was an ARP cache attack, the attacker would try to spoof the MAC address of your router (192.168.1.1). However, there is no such sign in the capture file. To be sure: Double check, that the MAC address of the router in the capture file, is the real one ;-)
Stop using 192.168.1.2 on two different computers. If they got their address by DHCP from the router, you may experience that problem if you switch off (or reboot) the router. After it reboots, it may hand out the same IP address to a different MAC address. I would consider this a firmware bug, as the DHCP server should write a log for the current leases and reuse that log after the reboot. Regards answered 09 Sep '12, 15:48 Kurt Knochner ♦ Good to know, fortunately I tested it and got some clues and I believe this answer is right. but there is 2 relative small questions on this : 1. How to "Double check, that the MAC address of the router in the capture file, is the real one" ? Do you mean the default IP taken by the router ? it is 192.168.1.2, Should I check anything else ? (10 Sep '12, 03:45) SkyGator 2nd : What is the sign when someone is spoofing "the attacker would try to spoof the MAC address of your router (192.168.1.1)" ? could you give a simple 1-2 line example of a log showing this, want to know how it could be differ from what I have posted ? really thanks for your help ;) (10 Sep '12, 03:45) SkyGator 1.) Look at the back of your router. Usually you will find its MAC address there. Compare that address with the one in the capture file. If it's the same, it's O.K. If it's different, someone might have used ARP spoofing. 2.) I'm sorry, I don't have a capture file with ARP spoofing at hand and I have not time to create one right now. But it's easy to do that yourself. Grab a copy of "cain & able" or "ettercap" and learn how it works. (10 Sep '12, 04:28) Kurt Knochner ♦ |
Skygator, I just assumed you used Wireshark to capture your packets. That's the file I was referring to. But if you used tcpdump or snoop, it will output the "trace file" to stdout (screen) in a text format. But you can use "-w foo.pcap" in tcpdump or "-o foo.pcap" in snoop to save the trace file in binary PCAP format. This way, everyone can open it in Wireshark and make it easier to analyze the file. Look here (among many many many other sites) for how arp cache poisoning works: http://bittwist.sourceforge.net/doc.html Keep in mind that Ethernet MAC addresses are link local. That is, it is only unique to each subnet. So if you capture from subnet1, for a traffic that originated from subnet2, the MAC address will be the router's MAC address. For example PC1 (MAC addr A) ------ (MAC addr B) ROUTER (MAC addr C) ------- (MAC addr D) PC2 PC1 has a mac address of A. PC2 has a mac address of D. If you capture the traffic from PC1, you will see your MAC addr A and MAC addr B (router's mac) for PC2. If you capture the traffic from PC2, you will see your MAC addr D, and MAC addr C for PC1. To check what the MAC addresses are on the router, you can do (assuming Cisco routers) "sho interface Fa1/0" and look for the BIA (burned in address) address. You'll see it in 0000.0C12.1234 format. If you have two routers, there may be another MAC address (HSRP), but that's not germane to this conversation for now. If you have HSRP running, let me know. If you don't know what HSRP is, chances are good that you are not running it. But again, if you have the binary PCAP file, you can see if HSRP is running or not (but that's for another time) Good luck! answered 10 Sep '12, 14:21 hansangb |
It's easier if you post the actual pcap files. But looking at this, I don't think I'd be too worried. It looks like you may have two devices trying to use 192.168.1.2.
But if you post the pcap file, more people will look at it for you. It's a pain looking at txt output of a trace file.
Thanks hasan, Where is this pcap file you said ? which piece of it is needed ?