Date: Fri, 21 Apr 2000 00:04:06 -0400 (EDT) From: miy <miyako@sakr.net> To: cjclark@home.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: network replies causing system messages flooding Message-ID: <Pine.BSF.4.10.10004202348450.7175-100000@sakr.net> In-Reply-To: <20000419230149.B59041@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 19 Apr 2000, Crist J. Clark wrote: > On Wed, Apr 19, 2000 at 01:20:49PM -0400, miy wrote: > > > > > > On Mon, 17 Apr 2000, Crist J. Clark wrote: > > > > > On Mon, Apr 17, 2000 at 06:56:47PM -0400, miy wrote: > > > > On Sun, 16 Apr 2000, Crist J. Clark wrote: > > > > > On Sun, Apr 16, 2000 at 01:22:06AM -0400, miy wrote: > > > > > > > > > > > > I originally had a windows box [10.0.0.2] connected to my cable connection > > > > > > through a FreeBSD gateway running natd. I recently added a second windows > > > > > > box to the network, and I it connects properly to the gateway, but I am > > > > > > getting flooded by the following system message: > > > > > > > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > [snip] > > > this is the output of ifconfig: > > > > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > inet6 fe80::2e0:29ff:fe54:a201%rl0 prefixlen 64 scopeid 0x1 > > inet 24.114.39.136 netmask 0xfffffc00 broadcast 24.114.39.255 > > ether 00:e0:29:54:a2:01 > > Not here. > > > media: autoselect (none) status: active > > supported media: autoselect 100baseTX <full-duplex> 100baseTX > > 10baseT/UT > > P <full-duplex> 10baseT/UTP 100baseTX <hw-loopback> > > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > > ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > > inet6 fe80::240:5ff:fe71:498c%ed1 prefixlen 64 scopeid 0x3 > > ether 00:40:05:71:49:8c > > Not here. > > > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 > > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 > > inet6 ::1 prefixlen 128 > > inet 127.0.0.1 netmask 0xffffff00 > > gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > > inet6 fe80::2e0:29ff:fe54:a201%gif0 prefixlen 64 scopeid 0x7 > > > > and the output of arp -a is: > > > > sakr.net (10.0.0.1) at 0:40:5:71:49:8c permanent [ethernet] > > Not here. > > > ? (10.0.0.2) at 0:80:c6:f9:a5:55 [ethernet] > > Not here. > > > ? (10.0.0.4) at 0:e0:29:54:9f:a6 [ethernet] > > bb1-fe1-1.ym1.on.home.net (24.114.36.1) at 0:60:5c:76:5b:21 [ethernet] > > Not here. > > > The associated hardware seems to be my network card on the windows box > > (10.0.0.2), although these messages were not occuring when I was connected > > to the HUB alone on the network. Every since I added the other machine the > > sys logs have been displaying the same errors. > > That MAC address in the messages does not seem to belong to any of > your hardware. That would normally lead me to believe that the > 10.0.0.4 address is leaking onto the net from someone else's > setup. However, if it is coming over the cable modem, I would expect > the MAC address to be that of your modem. I thought that's how cable > modem's bridged and that's how mine works. Could you try this, > > # tcpdump -en 'ether proto \arp || host 10.0.0.4' > > And save the output. It might be interesting. The output following output scrolls continuously when I run: tcpdump -en 'ether proto \arp || host 10.0.0.4' tcpdump: listening on rl0 23:59:59.625354 0:0:ca:7:54:22 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.112.36.1 tell 10.3.8.60 23:59:59.647484 0:60:5c:76:5b:21 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.112.38.237 tell 24.112.36.1 23:59:59.670812 0:0:ca:f:0:ae ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.112.36.1 tell 10.3.7.222 23:59:59.707370 0:0:ca:e:d7:aa ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.112.36.1 tell 10.3.3.97 23:59:59.733358 0:20:a6:38:98:a3 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.112.34.1 tell 24.112.35.181 23:59:59.744298 0:0:b4:a2:1f:9c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.112.192.128 tell 24.112.193.231 23:59:59.754466 0:80:c6:f9:af:e ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.112.36.1 tell 24.112.36.203 23:59:59.831735 0:60:97:99:ff:5e ff:ff:ff:ff:ff:ff 0806 60: arp who-has 24.114.0.1 tell 24.114.3.205 It seems that addresses such as 10.3.8.60 point to machines on the @home network in the York Mills area (my district). Is this traffic caused by a machine at my server's end in which case the provider is the cause, or is this traffic from another machine on my subnet? I am at a loss. Whatever the cause, is there any way I can configure the system to filter them? Thanks again, Frederick S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10004202348450.7175-100000>