This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it Arp Cache Attack ?

0

Don't know that Am I really under this attack or not, eSet (ESS 5.0) several times is reporting this to me.

What I should mention are :

  1. Here are using a Wireless point-to-point to get Internet to our tower, Then with a DSLAM the internet is provided to our room.

  2. Some times I'm using a VPN.

    The reported IPs are similar to 192.168.1.1 - 192.168.1.4
  3. There are 2-3 home devices Using this wireless internet and and pc using it from a LAN (Don't know how could I get their mac addresses to check)

  4. There is a wireless printer which is one of the things I have doubt causes the problem.

  5. Here the room is using a TP-Link 8901G ( Whireless ADSL 2+ Router, Modem & Accesspoint )

Q) Am I under attack or this could be just some IP conflicts ? If so How to Prevent or resolve this issue ?

*** Which logs is needed tell me to upload and provide a link

please help me resolving this


Logs :

Eset Logs :

http://pastebin.com/STRwdLzF

WireShark Logs : ( Just a piece )

http://pastebin.com/6e6YER7s

asked 09 Sep '12, 03:38

SkyGator's gravatar image

SkyGator
6113
accept rate: 0%

It's easier if you post the actual pcap files. But looking at this, I don't think I'd be too worried. It looks like you may have two devices trying to use 192.168.1.2.

But if you post the pcap file, more people will look at it for you. It's a pain looking at txt output of a trace file.

(09 Sep '12, 09:32) hansangb

Thanks hasan, Where is this pcap file you said ? which piece of it is needed ?

(10 Sep '12, 03:39) SkyGator

2 Answers:

1

@hansangb, you are right. The ESET message is just a false positive, triggered by two devices using the same IP address (192.168.1.2).

@SkyGator: If it was an ARP cache attack, the attacker would try to spoof the MAC address of your router (192.168.1.1). However, there is no such sign in the capture file. To be sure: Double check, that the MAC address of the router in the capture file, is the real one ;-)

If so How to Prevent or resolve this issue

Stop using 192.168.1.2 on two different computers. If they got their address by DHCP from the router, you may experience that problem if you switch off (or reboot) the router. After it reboots, it may hand out the same IP address to a different MAC address. I would consider this a firmware bug, as the DHCP server should write a log for the current leases and reuse that log after the reboot.

Regards
Kurt

answered 09 Sep '12, 15:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Good to know, fortunately I tested it and got some clues and I believe this answer is right. but there is 2 relative small questions on this : 1. How to "Double check, that the MAC address of the router in the capture file, is the real one" ? Do you mean the default IP taken by the router ? it is 192.168.1.2, Should I check anything else ?

(10 Sep '12, 03:45) SkyGator

2nd : What is the sign when someone is spoofing "the attacker would try to spoof the MAC address of your router (192.168.1.1)" ? could you give a simple 1-2 line example of a log showing this, want to know how it could be differ from what I have posted ? really thanks for your help ;)

(10 Sep '12, 03:45) SkyGator

1.) Look at the back of your router. Usually you will find its MAC address there. Compare that address with the one in the capture file. If it's the same, it's O.K. If it's different, someone might have used ARP spoofing.

2.) I'm sorry, I don't have a capture file with ARP spoofing at hand and I have not time to create one right now. But it's easy to do that yourself. Grab a copy of "cain & able" or "ettercap" and learn how it works.

(10 Sep '12, 04:28) Kurt Knochner ♦

1

Skygator, I just assumed you used Wireshark to capture your packets. That's the file I was referring to. But if you used tcpdump or snoop, it will output the "trace file" to stdout (screen) in a text format. But you can use "-w foo.pcap" in tcpdump or "-o foo.pcap" in snoop to save the trace file in binary PCAP format. This way, everyone can open it in Wireshark and make it easier to analyze the file.

Look here (among many many many other sites) for how arp cache poisoning works: http://bittwist.sourceforge.net/doc.html

Keep in mind that Ethernet MAC addresses are link local. That is, it is only unique to each subnet. So if you capture from subnet1, for a traffic that originated from subnet2, the MAC address will be the router's MAC address. For example

PC1 (MAC addr A) ------ (MAC addr B) ROUTER (MAC addr C) ------- (MAC addr D) PC2

PC1 has a mac address of A. PC2 has a mac address of D.

If you capture the traffic from PC1, you will see your MAC addr A and MAC addr B (router's mac) for PC2.

If you capture the traffic from PC2, you will see your MAC addr D, and MAC addr C for PC1.

To check what the MAC addresses are on the router, you can do (assuming Cisco routers) "sho interface Fa1/0" and look for the BIA (burned in address) address. You'll see it in 0000.0C12.1234 format.

If you have two routers, there may be another MAC address (HSRP), but that's not germane to this conversation for now. If you have HSRP running, let me know. If you don't know what HSRP is, chances are good that you are not running it. But again, if you have the binary PCAP file, you can see if HSRP is running or not (but that's for another time)

Good luck!

answered 10 Sep '12, 14:21

hansangb's gravatar image

hansangb
7912619
accept rate: 12%