Question regarding security run output
Kurt Buff
kurt.buff at gmail.com
Tue Sep 3 23:11:16 UTC 2013
Over the three-day US weekend, I was working on some stuff, and found an
interesting set of entries in the daily security run emails all three days.
The output looks as follows:
ntop.example.com kernel log messages:
+++ /tmp/security.IUGsscCR 2013-08-26 03:02:24.000000000 -0700
+arp: unknown hardware address format (0x4500) (from 00:05:b7:de:cd:79 to
72:6e:61:6c:2c:70)
+arp: unknown hardware address format (0x0100) (from 00:05:b7:de:cd:79 to
6c:3d:31:37:2c:6e)
+arp: unknown hardware address format (0x4500) (from 00:05:b7:de:cd:a3 to
77:72:69:74:74:65)
+arp: unknown hardware address format (0x0000) (from 00:05:b7:de:cd:71 to
2d:0d:0a:62:6f:64)
This box is monitoring a mirror port on a procurve switch, using an
unnumbered interface.
My investigation led me to the engineering lab, and I'm querying them
regarding the equipment, but I don't know what the above entries signal.
Does anyone have a clue they can throw me on this?
I also find it interesting that the MAC addresses are either unknown, or
belong to Arbor Networks. We don't have any Arbor Networks equipment,
though I suppose they could vend them to an OEM. I'm going to see if I can
trace them down and get some idea of what's running around in that lab.
Thanks,
Kurt
More information about the freebsd-net
mailing list