#1152 closed task (invalid)
Detection of ARP Cache Poisoning on SSID:ietf-hotel at Swissotel
| Reported by: | Owned by: | Clemens Schrimpe | |
|---|---|---|---|
| Priority: | tbd | Milestone: | ietf-100 |
| Component: | incoming | Keywords: | ARP Cache Poison |
| Cc: | Bill Fenner | My Current Location: | 19th floor of Swissotel |
| My MAC Address: | a8:66:7f:16:c5:3d | My OS: | Mac OS X |
Description
Whenever I connected to SSID:ietf-hotel at Swissotel, Symantec Endpoint Protection Client on my laptop yells that it is detecting ARP cache poison.
Source of the cache poisoning:
80:2a:a8:8f:a3:cf
I can give you a pcap file it includes the events.
Attachments (1)
Change history (5)
comment:1 Changed 3 years ago by
| Cc: | Bill Fenner added |
|---|---|
| Owner: | changed from llynch@… to Clemens Schrimpe |
| Status: | new → assigned |
Changed 3 years ago by
| Attachment: | ietf-hotel_detection_arp_cache_poisoning.pcap added |
|---|
Symantec Client claims that the remote mac address of the poisoning is 80:2a:a8:8f:a3:cf
comment:2 Changed 3 years ago by
80:2a:a8:8f:a3:cf is the MAC address of the router. In the pcap file I see it sending ARPs for you, and responding to ARP requests for itself. Does Symantec give any indication of what behavior it considers to be arp cache poisoning?
Does your current ARP cache contain a different resolution for 31.133.144.1?
comment:3 Changed 3 years ago by
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
The address belongs to the currently active "official" router, who uses it with multiple IP addresses, hence the false warning.
Nothing to see here, please walk on ... ;-) ;-) ;-)
comment:4 Changed 3 years ago by
Thank you for the investigation.
I'm out for the hackathon, so I can't check the ARP cache of my laptop now.
I'll check the situation after returning to the hotel.
Closing this ticket is no problem of course. thank you.
The pcap file would be welcome; please attach it here