[c-nsp] [Forum] show arp hardware type INCOMPLETE

Church, Chuck cchurch at netcogov.com
Fri Jan 6 09:48:23 EST 2006 

If it's a worm, and all your switches are manageable, it should be
pretty easy to find.  Take a look at all the interfaces, and look for
the busiest ones, or at least the ones that have the highest packet to
byte ratios.  You should be able to trace it down to a user port pretty
quickly this way.  Do it when no users are there.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Raymond Macharia
Sent: Friday, January 06, 2006 8:02 AM
To: Luis Augusto Tiani da Silva *Luist*; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] [Forum] show arp hardware type INCOMPLETE

Hi Luis,
The only way to find out is to follow Matthew's Suggestion, you need to
unplug each computer one at a time until you identfy the source of the
arp
with the said IP subnet.
I had a similar problem some months back and that is way I managed to
solve
the problem. It looks more like a worm to me

Raymond

On 1/6/06, Matthew Crocker <matthew at crocker.com> wrote:
>
>
> The IP addresses are in your routers ARP table because your router
> thinks the IPs are local.  Are you sure you don't have that network
> configured in your router someplace?   They are incomplete because
> your router cannot find the MAC Address of the machine with the IP
> address.   Your router cannot find the MAC Address because the
> machines don't exist.  You need to do 2 things,  1)  find out why
> your router thinks the 10.30/16 network is local and 2) why your
> router is getting packets destined for that network.   Next time it
> happens try unplugging one machine at a time until the problem goes
> away.  I suspect a virus/trojan/worm on your network somewhere.
>
> -Matt
>
> On Jan 6, 2006, at 5:58 AM, Luis Augusto Tiani da Silva *Luist* wrote:
>
> > I didn't make myself clear..... We have a little and simple
> > network, with a
> > server (NT) and some workstations. There no face with internet.
Those
> > address in the arp table of our router doesn't exist in our
> > network, there
> > is no workstation configured with those addresses. I've been seing
> > some docs
> > in the internet and I thought it might be a worm, CODE RED, but we
> > don't
> > have IIS in this network, and when those IP's start to appear in
> > the arp
> > table of the router, the most workstations, even the server, get
> > the network
> > connection lost and get it back, and get lost.... until we restart
the
> > machines or unplug and plug the cables from hub's/switches....
> >
> > better now? Have you ever seen this?
> > Tks!
> >
> > -----Original Message-----
> > From: Wojtek Zlobicki [mailto:wojtek.zlobicki at gmail.com]
> > Sent: quinta-feira, 5 de janeiro de 2006 23:01
> > To: Luis Augusto Tiani da Silva *Luist*
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] [Forum] show arp hardware type INCOMPLETE
> >
> >
> > Where are these servers plugged into.  ARP is incomplete because
> > the servers
> > are unreachable. There is nothing wrong with seeing incomplete arp,
> > you need
> > to trace where the end devices plug into.
> >
> >
> > On 1/5/06, Luis Augusto Tiani da Silva *Luist*
<luist at riachuelo.com.br
> > <mailto:luist at riachuelo.com.br> > wrote:
> >
> > Hi all,
> >
> > All of our box at that specific lan get the network connection lost
> > and we
> > get a lot of entries in the arp table in the routers, just like you
> > posted
> > at that forum.... Soes anyone know's a solution for this problem?
> >
> > Thanks in advance.
> >
> > Luis Tiani
> >
> > P.S.: We've got this arp table:
> >
> > Protocol  Address          Age (min)  Hardware Addr   Type
Interface
> > Internet  10.30.0.40 <http://10.30.0.40>               0
Incomplete
> > ARPA
> > Internet  10.30.1.40 <http://10.30.1.40>               0
Incomplete
> > ARPA
> > Internet  10.30.0.41 <http://10.30.0.41>               0
Incomplete
> > ARPA
> > Internet    <http://10.30.1.43> 10.30.1.43              0
Incomplete
> > ARPA
> > Internet  10.30.0.42 <http://10.30.0.42>               0
Incomplete
> > ARPA
> > Internet  10.30.1.42 <http://10.30.1.42>               0
Incomplete
> > ARPA
> > Internet  10.30.0.43 <http://10.30.0.43>               0
Incomplete
> > ARPA
> > Internet  10.30.1.45 <http://10.30.1.45>               0
Incomplete
> > ARPA
> > Internet    <http://10.30.0.44> 10.30.0.44              0
Incomplete
> > ARPA
> > Internet  10.30.1.44 <http://10.30.1.44>               0
Incomplete
> > ARPA
> > Internet  10.30.0.45 <http://10.30.0.45>               0
Incomplete
> > ARPA
> > Internet  10.30.1.47 <http://10.30.1.47>               0
Incomplete
> > ARPA
> > Internet  10.30.0.46 <http://10.30.0.46>               0
Incomplete
> > ARPA
> > Internet    <http://10.30.1.46> 10.30.1.46              0
Incomplete
> > ARPA
> > Internet  10.30.0.47 <http://10.30.0.47>               0
Incomplete
> > ARPA
> > Internet  10.30.1.33 <http://10.30.1.33>               0
Incomplete
> > ARPA
> > Internet  10.30.0.32 <http://10.30.0.32>               0
Incomplete
> > ARPA
> > Internet  10.30.1.32 <http://10.30.1.32>               0
Incomplete
> > ARPA
> > Internet    <http://10.30.0.33> 10.30.0.33              0
Incomplete
> > ARPA
> > Internet  10.30.1.35 <http://10.30.1.35>               0
Incomplete
> > ARPA
> >
> > _______________________________________________
> > cisco-nsp mailing list   cisco-nsp at puck.nether.net
> > <mailto:cisco-nsp at puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > <https://puck.nether.net/mailman/listinfo/cisco-nsp>
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > <http://puck.nether.net/pipermail/cisco-nsp/>
> >
> >
> >
> >
> >
> > --
> > ----------------------------------------
> > wojtek.zlobicki at gmail.com <mailto:wojtek.zlobicki at gmail.com>
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> Matthew S. Crocker
> Vice President
> Crocker Communications, Inc.
> Internet Division
> PO BOX 710
> Greenfield, MA 01302-0710
> http://www.crocker.com
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



--
Raymond Macharia
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list