[질문] arpwatch의 결과에 대해서 알려주세요.
안녕하세요.
arpwatch에 나타난 내용중 몇가지 질문이 있습니다.
첫번째 질문은 아래는 arpwatch의 내용중 중복된 아이피 192.168.1.10으로 검색된 내용입니다.
192.168.1.10번으로 arping를 치면 게이트웨이 주소가 나옵니다. arpspoofing이 의심되는데 내부아이피로 되어 있어서 잡아내기가 쉽질 않네요. 어떻게 확인해야 할까요?
(각 mac주소는 실제 서비스 되는 아이피들의 mac주소입니다.)
MAC MAC을 사용한 IP unixtime unixtime을 변환한 시간
00:14:85:29:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:3c:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:3a:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:22:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:3c:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:3a:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:3c:xx:xx 192.168.1.10 1185777050 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
00:14:85:39:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
00:14:85:3d:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
00:14:85:29:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
00:14:85:2e:xx:xx 192.168.1.10 1185777049 2007-07-30 15:30
두번째는 아래와 같습니다.
전에 보이지 않던 0.0.0.0번으로 할당된 맥주소입니다.
00:16:e6:d2:xx:xx 0.0.0.0 1185769421 2007-07-30 13:23
00:16:e6:d6:xx:xx 0.0.0.0 1185768107 2007-07-30 13:01
00:04:23:b3:xx:xx 0.0.0.0 1185734585 2007-07-30 03:43
00:11:11:e7:xx:xx 0.0.0.0 1185720921 2007-07-29 23:55
00:e0:81:72:xx:xx 0.0.0.0 1185433773 2007-07-26 16:09
00:0d:61:91:xx:xx 0.0.0.0 1185346021 2007-07-25 15:47
00:16:e6:d6:xx:xx 0.0.0.0 1185304752 2007-07-25 04:19
00:16:e6:d6:xx:xx 0.0.0.0 1185304734 2007-07-25 04:18
00:16:e6:d5:xx:xx 0.0.0.0 1185304725 2007-07-25 04:18
00:16:e6:d4:xx:xx 0.0.0.0 1185304717 2007-07-25 04:18
00:16:e6:d6:xx:xx 0.0.0.0 1185304702 2007-07-25 04:18
00:e0:81:71:xx:xx 0.0.0.0 1185299562 2007-07-25 02:52
00:13:20:78:xx:xx 0.0.0.0 1185292191 2007-07-25 00:49
00:19:d1:1f:xx:xx 0.0.0.0 1185280370 2007-07-24 21:32
00:e0:81:71:xx:xx 0.0.0.0 1185279002 2007-07-24 21:10
00:e0:81:71:xx:xx 0.0.0.0 1185265712 2007-07-24 17:28
00:11:11:94:xx:xx 0.0.0.0 1185186340 2007-07-23 19:25
tcpdump host 0.0.0.0을 실행시켰더니 아래과 같은 내용이 나옵니다.
15:55:37.204340 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:15:17:17:xx:xx, length: 300
15:55:51.594477 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1a:64:2b:xx:xx, length: 278
서버중에 DHCP를 운영하는 서버가 있어서 이런게 나오는걸까요?
댓글 달기