Endpoint Protection

 View Only

  • 1.  ARP SPOOFING

    Posted Jan 06, 2016 04:26 AM

    There are many protecting arp-spoofing logs. ( Monitors - Logs - Network Threat Protection Logs. )

    Althogh These attacks are protected by SEP.

    But I want to these logs are not happend anymore.

    So, What is the next step after arp-spoofing logs appear?

     

    Log information are like below

    Time, Event ..... Direction, Local Host IP, Remote Host IP, Current IP..

    ( what is the different Local Host, Current Host ? )

    I don't know, What I should do next.

     

    Anybody some advice to me?

     



  • 2.  RE: ARP SPOOFING

    Posted Jan 06, 2016 07:42 AM

    My suggestion would be to start doing packet captures: and look at the traffic to see exactly what is going on.

    Troubleshooting Unsolicited Address Resolution Protocol (ARP) Requests reported by SEP



  • 3.  RE: ARP SPOOFING

    Broadcom Employee
    Posted Jan 07, 2016 01:12 PM

    If possible could you atttach logs here.



  • 4.  RE: ARP SPOOFING

    Posted Jan 07, 2016 09:56 PM
      |   view attached

    Here is the log file attached.

    Sorry, Logs are not English.

     

    I'm investgate Network Packet with wireshark. ( I'm not good Network Protocol Knowlege.)

    In the wireshark packet logs, I found some Gratuitous_ARP traffic.

    Is this traffic related in anti_MAC spoofing?