What could make a host to be sending arp asking for the mac address of almost al the hosts in the network

asked 2019-11-30 17:31:10 +0000

Macdan gravatar image

I am analyzing this packet i captured in my network, there is something i am seeing that seems wierd to me.

the first is that a particular host keep sending arp broadcast requesting mac addresses of all the systems in the networking in an assending order i.e. the ip addresses are arranged from the least to the highest.

Secondly, a that same host after a while started sending SYN packages to most of the hosts in the network and each time it does so the destination hosts response with a RST, ACK package.

Can someone explain to me what could be going on?

answered 2019-11-30 17:55:04 +0000

Chuckc gravatar image
Thanks for your respond.

Is the second part of my question also pointing to the fact that the host is still trying to discover other hosts in the network?

Macdan gravatar imageMacdan ( 2019-11-30 18:10:20 +0000 )edit

Once a list of valid IP addresses is discovered with arp, each of those hosts is scanned to check for open ports.
Are the SYN packets going to multiple ports on each host?
Is it the same list of ports for each host?

Chuckc gravatar imageChuckc ( 2019-11-30 18:17:36 +0000 )edit

First of all, of all the arp requests sent by the host, only two systems responeded.

to your question, it is different port numbers for each host

Macdan gravatar imageMacdan ( 2019-11-30 18:40:33 +0000 )edit

Is your wireshark capture on a switch port?
The arp responses are directed so you won't see all the host responses without a span port or network tap.

Chuckc gravatar imageChuckc ( 2019-11-30 19:13:53 +0000 )edit

Yes it is captured on a switch port

Macdan gravatar imageMacdan ( 2019-11-30 21:18:58 +0000 )edit

