Thursday, August 2, 2012

arpwatch: too short requests error

Today, I got a lot of errors from arpwatch (actually arpwatch-NG) that look like this:
arpwatch: short (want 42)
There is no point in googling this, even though I tried. :) There is one post that mentions some Debian bug, or something like that.

Anyway, the problem is that something on the network has a bug, or is wrongly configured, and arpwatch doesn't log sending MAC address from frames in case it receives something erroneous that is supposed to be ARP. Of course it could be discussed as to how much this information would be useful, but, it would at least give some clue who's sending this.

In the end, the only thing that could be done in this case is to sniff network and wait for the error to repeat.

Update

I figured out what was causing this errors. It was nmap that I put to regularly scan the network! :)

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive