From owner-freebsd-questions  Wed Sep  4 08:33:43 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA17368
          for questions-outgoing; Wed, 4 Sep 1996 08:33:43 -0700 (PDT)
Received: from dan.emsphone.com (-@dan.emsphone.com [199.67.51.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA17363
          for <questions@freebsd.org>; Wed, 4 Sep 1996 08:33:38 -0700 (PDT)
Received: (from dan@localhost) by dan.emsphone.com (8.7.5/8.7.3) id KAA08591; Wed, 4 Sep 1996 10:33:24 -0500 (CDT)
Message-Id: <199609041533.KAA08591@dan.emsphone.com>
Subject: Re: arp info overwritten
To: deischen@iworks.InterWorks.org (Daniel M. Eischen)
Date: Wed, 4 Sep 1996 10:33:24 -0500 (CDT)
Cc: paul@nation-net.com, questions@freebsd.org
In-Reply-To: <9609041351.AA12869@iworks.InterWorks.org> from "Daniel M. Eischen" at Sep 4, 96 08:51:59 am
From: dnelson@emsphone.com (Dan Nelson)
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

in the last episode, Daniel M. Eischen said:
> > Is this message anything to worry about?
> > The 2 IPs are machines in our class C.
> >
> >  arp info overwritten for 194.159.125.100 by 00:05:02:44:5f:d1
> >  arp info overwritten for 194.159.125.110 by 00:05:02:54:3f:54
> 
> Well, it depends on if you use those machines or not ;-)
> 
> We've got a couple of FreeBSD PCs sitting in a building full of PCs
> and Macs in the same subnet.  We see this happen at least once a
> month and logged by our FreeBSD PCs.  Usually we can determine which
> machines are at fault by using tcpdump on the affected ethernet MAC
> addresses and by browsing shared DIRs (and similar
> [...]
> I don't know any other way of doing it (unless the adminstrators have
> a list of all the machines and their MAC addresses).  Maybe there's a
> better way?

If you keep a list of the ethernet addresses of all your machines in
/etc/ethers, the following patch will let the arp command display
ethernet addresses symbolically.  Then you can ping your broadcast
address to fill your route/arp table, and display the results with arp
-a.  A similar patch could probably be made to netstat (for the -r
output).

for example, my machine arps as

dan.emsphone.com (199.67.51.101) at E_dan permanent

since in /etc/ethers, I have

00:00:c0:ed:34:c7	E_dan

	-Dan Nelson
	dnelson@emsphone.com

--- /usr/src/usr.sbin/arp/arp.c	Thu Feb  8 15:05:52 1996
+++ /usr/tmp/arp.c	Mon Jul 29 18:07:03 1996
@@ -441,10 +441,18 @@
 	}
 }
 
+/*
+ * Print an ethernet address in symbolic form, or numeric if there is no name
+ */
 void
 ether_print(u_char *cp)
 {
+	char name[100];
+
+	if (ether_ntohost(name, cp))
 		printf("%x:%x:%x:%x:%x:%x", cp[0], cp[1], cp[2], cp[3], cp[4], cp[5]);
+	else
+		printf("%s", name);
 }
 
 int