Request who-has 192.168.x.1 (ff:ff:ff:ff:ff:ff) tell 192.168.x.1, length 50

今天一IT服务客户打电话报障说登陆CRM系统很慢,怀疑是网络出现问题了。通过远程控制检查,发现网络是正常的,ping内外网值都很正常,怀疑有三个原因:

(1)要么是网络中病毒了;

(2)要么是网络中有环路;

(3)要么就是CRM系统本身慢的原因。

因为不在现场,只能通过远程方式检查,首先是通过tcpdump命令抓包,命令如下:

[root@www.itkylin.com ~]# tcpdump -nn -i em0 arp

结果显示的都是如下信息,而且几乎是一秒钟就广播一条:

13:52:57.451700 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:52:58.473473 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:52:59.479953 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:53:00.487998 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:53:01.495925 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:53:02.503809 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:53:03.512225 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:53:04.519929 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:53:05.527866 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
13:53:06.535424 ARP, Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
就奇怪了,怎么网关192.168.1.1不断地发出arp包,询问192.168.1.1的MAC地址呢,难道是网关中病毒了?不可能啊,网关我记得是一台TP-Link的路由器来的,又不是linux系统,更不是windows系统,怎么可能中病毒,难道有机器伪装成192.168.1.1这个IP来发ARP包?那只要通过如下命令检查一下发包的MAC地址就可以了:

[[email protected] ~]# tcpdump -ennqti em0 \( arp or icmp \)

显示结果:

00:b0:2c:30:01:9c > ff:ff:ff:ff:ff:ff, ARP, length 64: Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
00:b0:2c:30:01:9c > ff:ff:ff:ff:ff:ff, ARP, length 64: Request who-has 192.168.1.1 (ff:ff:ff:ff:ff:ff) tell 192.168.1.1, length 50
00:b0:2c:30:01:9c地址确实是网关192.168.1.1的MAC地址,没错,是从网关发出的ARP包,原来网关不断的询问自己的MAC地址,其实它的作用是网关不断的向内网的所有机子广播自己的MAC地址,并不是网关中了ARP病毒(已在别的网络上也做了相应的测试,结果相同)。

所以只能让客户自行给所有的电脑都安装上avira防病毒软件先,然后检查网络交换机的网线是否有环路了,同时检查网络交换机上的指示灯是否有不正常的闪烁。