This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is this type of arp attack?

0

I have a bad internet connection then i got this. Can anyone tell me about this?

alt text

asked 15 May '16, 00:05

noobzers's gravatar image

noobzers
6112
accept rate: 0%


2 Answers:

0

Well it looks more like a scan. But if this packet appear constantly and in the way you posted here, it can slow down your system. Because ARP processing has often a high cpu priority.

answered 15 May '16, 00:25

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

0

If the capture comes from a wireless interface of your PC, and your wireless AP's IP address (the most likely default gateway of your PC) is not 192.168.2.99, then someone is trying to map what machines exist in your wireless network and he has already cracked through your wireless security (if you don't use an open wireless network).

Else (i.e. if the capture comes from any interface of your PC, and regardless whether your router has 192.168.2.99 or not), the equipment which sends these arp requests is doing the scan, and it is likely one of your own ones which did not need to crack the wireless security. In a typical home network, a device doing that on a peaceful purpose is far less likely to exist than one infected with malware, so I'd be on high alert and would closely inspect the source device to find out what happens.

@Christian_R's suggestion that someone is scanning the network remotely would be fine if the address range in question would not be private (192.168.x.y/24). A scan over private addresses can not be done remotely over internet, it must come from a device for which such addresses are routable, i.e. inside your private network.

answered 15 May '16, 01:47

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 15 May '16, 01:57

I have never said, that the scan is done remotely. Of course it is local, thought it was clear.

(15 May '16, 01:55) Christian_R

Sorry, @Christian_R, the association between "scan" and "remotely over internet" somehow exists in my head, because a remote scan is a much smaller threat than a local one so it falls to other mental category.

I wanted to stress out that a local device performing a network scan is likely to be already hijacked, and quoted you improperly. Sorry again.

(15 May '16, 02:04) sindy

In yet another way: from what you wrote, it seemed to me that the highest risk you expect is the CPU load coming from ARP processing, which implied to me that you have a remote scan in mind.

(15 May '16, 02:06) sindy

Hm, I thought of this ARP and CPU relation, because the question is, if this ARPs could cause a bad internet connectivity. And this is my opinion to that. There might be more... And there might be another cause, too.

(15 May '16, 02:15) Christian_R