Colasoft Capsa offers expert diagnosis for the following data link layer events.
| Event |
Description |
Severity |
Possible causes and solutions |
| ARP Format Illegal |
Unable to operate correctly in the Ethernet, and violate the frame format defined by RFC.e.g., source MAC address is Multicast, or the address information is disaccord between ARP and MAC header. |
Security |
In some way of falsify or forge the packets, like MITM attack. |
| ARP Request Storm |
It indicates an ARP request storm if the number of ARP request packets per second exceeds the ARP configured threshold. |
Security |
Check the source station for the application that sent the ARP requests. |
| ARP Scan |
Workstation is scanning the network address via ARP requests. |
Security |
Check the source station for the application that performs the scanning. |
| ARP Too Many Active Response |
The percentage of unrequested ARP response of a physical node is equal to or higher than the Unrequested Responses threshold. |
Security |
Check the source and target physical node for possible ARP spoofing. |