Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ARP request for non-existent IP


  • Please log in to reply
3 replies to this topic

#1 tjdbleeping

tjdbleeping

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 09 July 2009 - 04:38 PM

I have wireshark running on a host in my home network, and it seems another host on my network (that was recently cleaned of malware) is sending ARP requests for a .106 address within my network. That range of addresses is static DHCP for wired networks only in my current network configuration. Wireless hosts get a DHCP address from different block of addresses, and only my wife's machine is logging our network according to the firewall logs. The last time there was a .106 IP address was a very long time ago. This host is the only one making ARP requests for this address. It sends them at approximate 3 minute intervals. This tells me something wants to talk to .106, and I wonder if there is still still some undetected dormant malware (every scan comes up clean). I have stopped all SQL services with no effect. I don't know if there is a legit XP reason to still want to connect to that IP address.

How do I go about finding out what process is trying to talk to .106? Any ideas? I have the SysInternalsSuite, and I am a s/w engr, but not a windows programmer.

thanks in advance,
T

BC AdBot (Login to Remove)

 


#2 tjdbleeping

tjdbleeping
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 12 July 2009 - 01:14 PM

I have not made any progress on this traffic. My best guess is that McAfee at one time found a device on that IP address (that would have been a long time ago) and is trying to produce a network map. McAfee does send out quite long UDP packets in order to tell which other hosts are running the McAfee stuff. I have used regmon, procmon, and wireshark together in an attempt to find out which process it is. I used wireshark to tell me when the ARP was sent, and looked through the regmon logs to see what process accessed the registry near that time. The only thing that looked possible was McAfee. I was not able to find an instance of the .106 IP address in the registry or any files - in the event some program stored it in a regular file. If there was an easy way for me to disable McAfee so I could tell for sure, I would. Since I cannot do that, and in the absence of other questionable system behavior, I am calling off the hunt.

If anyone has further ideas please let me know either in this thread or via mail.

T

#3 gareth_f

gareth_f

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 14 July 2009 - 02:29 AM

Maybe a shot in the dark, but maybe you could try looking at the ARP request in wireshark, and looking at the source port number. Then you can do netstat -o and see which process is using that port.

#4 gareth_f

gareth_f

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 14 July 2009 - 03:02 AM

Well never mind that, I forgot that ARP is a link-layer protocol and doesnt use port numbers... now i dont know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users