Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Miscellaneous alerts

All alerts that do not fit in the previous categories are presented here.

wrong couple MAC/LLA

We have 2 hosts on the network:

  • host1 with MAC 02:fd:00:00:04:01 and LLA fe80::fd:ff:fe00:401
  • host2 with MAC 02:fd:00:00:05:01 and LLA fe80::fd:ff:fe00:501

We send an ICMPv6 NDP (here a NA) with the MAC address of host1 and LLA from host2

  1. wrong_na_couple = Ether(src="02:fd:00:00:04:01")/IPv6(src="fe80::fd:ff:fe00:501", dst="ff02::1")/ICMPv6ND_NA(tgt="fe80::fd:ff:fe00:401", R=0)

NDPMon detects it and raises a wrong couple MAC/LLA in icmp6 alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: wrong couple MAC/LLA in icmp6 2:fd:0:0:4:1 fe80::fd:ff:fe00:501
  3. Date: Mon,  9 Jul 2012 17:38:24 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :wrong couple MAC/LLA
  7. MAC:     :2:fd:0:0:4:1
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:501
  10. DNS:     :n/a

IP Multicast

We send an ICMPv6 NDP (here a NA) with multicast address as source IPv6 address

  1. na_ip_multicast = Ether(src="02:fd:00:00:03:01")/IPv6(src="ff02::1", dst="ff02::1")/ICMPv6ND_NA(tgt="fe80::fd:ff:fe00:301", R=0)

NDPMon detects the source address is a multicast IPv6 address and raises an ip multicast alert

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: ip multicast 2:fd:0:0:3:1 ff02:0:0:0:0:0:0:1
  3. Date: Mon,  9 Jul 2012 17:28:09 +0200 (CEST)
  4. From: root@vnx (root)
  5.  
  6. Reason:  :ip multicast
  7. MAC:     :2:fd:0:0:3:1
  8. MAC2:    :n/a
  9. IPv6:    :ff02::1
  10. DNS:     :n/a