arp issue
 

Greetings to All,

I'm running a network with 800 users.I'm facing strange problem on my network that my gateway ip conflict when I trace that client and block him its start from an other client and I found that client does not use that ip its sort of arp attack or such virus.I use this command arping -b 10.x.x.x -I eth1 ,where 10.x.x.x my gateway ip and eth1 is internal network interface. it start reply uni cast with that client mac and gatewayip although that client was not doing any such activity.does any one have any idea regarding this issue ,is it a virus or what.Looking forward for your kind response.

Regards
Net_Spy

How about capturing packets with tcpdump and running it through Wireshark and Snort for a quick check?

* Just a small nit but proper punctuation and well-formed phrasing does enhance readability. From your other threads I know your language skills are better than this. TIA.

hi

yes this is a virus, a friend of mine had had the same problem but i am not sure how he solved it. ( actually he told me he made a script for this)
You could try tcpdump as unSpawn suggested, on a few computers and put the relevant output here; perhaps some of the more skilled people here can help you out; meanwhile update all your windows clients and tell them to use firewalls (i'm not sure if it helps but its a good start)

adaylater: try using arpwatch :)

Thanks for your kind respose guys.

well if it is a virus so precuation for that to avoid it.OTIM could you provide me that script so I could check that out.looking forward for your kind response.

Regards
Net_Spy

yes i would but it will take some time o talk to my friend...but try using arpwatch, with it you should see which pc is infected, and you can disconnect it for clean up ( i mean until you find a better solution)

Thanks..

well this is not a perfect solution.well im waiting for that script.looking forward for your kind response.
Regards
Net_spt