CentOS - Jun 2007 - ARP Problem ???

Hi all, 

 

Does any one know if this is normal operating of ARP.  Or where to start
looking. 

 

I am seeing a lot of ARP requests for my router IP from the same IP within
seconds. 

 

 

21:04:41.112929 arp who-has IP tell MY ROUTERS IP

21:04:41.186354 arp who-has IP tell MY ROUTERS IP

21:04:41.372972 arp who-has IP tell MY ROUTERS IP

21:04:41.546921 arp who-has IP tell MY ROUTERS IP

21:04:41.640253 arp who-has IP tell MY ROUTERS IP

21:04:42.104746 arp who-has IP tell MY ROUTERS IP

21:04:42.208952 arp who-has IP tell MY ROUTERS IP

21:04:42.212961 arp who-has IP tell MY ROUTERS IP

21:04:42.304306 arp who-has IP tell MY ROUTERS IP

21:04:42.330411 arp who-has IP tell MY ROUTERS IP

21:04:42.331394 arp who-has IP tell MY ROUTERS IP

21:04:42.332737 arp who-has IP tell MY ROUTERS IP

21:04:42.332740 arp who-has IP tell MY ROUTERS IP

21:04:42.332742 arp who-has IP tell MY ROUTERS IP

21:04:42.332744 arp who-has IP tell MY ROUTERS IP

21:04:42.332746 arp who-has IP tell MY ROUTERS IP

21:04:42.332748 arp who-has IP tell MY ROUTERS IP

21:04:42.334763 arp who-has IP tell MY ROUTERS IP

21:04:42.342436 arp who-has IP tell MY ROUTERS IP

21:04:42.344443 arp who-has IP tell MY ROUTERS IP

21:04:42.350132 arp who-has IP tell MY ROUTERS IP

21:04:42.352140 arp who-has IP tell MY ROUTERS IP

21:04:42.358496 arp who-has IP tell MY ROUTERS IP

21:04:42.360168 arp who-has IP tell MY ROUTERS IP

21:04:42.360172 arp who-has IP tell MY ROUTERS IP

21:04:42.362177 arp who-has IP tell MY ROUTERS IP

21:04:42.362180 arp who-has IP tell MY ROUTERS IP

21:04:42.364189 arp who-has IP tell MY ROUTERS IP

21:04:42.366203 arp who-has IP tell MY ROUTERS IP

21:04:42.368200 arp who-has IP tell MY ROUTERS IP

21:04:42.369542 arp who-has IP tell MY ROUTERS IP

21:04:42.370208 arp who-has IP tell MY ROUTERS IP

21:04:42.370211 arp who-has IP tell MY ROUTERS IP

21:04:42.370877 arp who-has IP tell MY ROUTERS IP

21:04:42.372884 arp who-has IP tell MY ROUTERS IP

21:04:42.376232 arp who-has IP tell MY ROUTERS IP

21:04:42.376898 arp who-has IP tell MY ROUTERS IP

21:04:42.377233 arp who-has IP tell MY ROUTERS IP

21:04:42.377901 arp who-has IP tell MY ROUTERS IP

21:04:42.378242 arp who-has IP tell MY ROUTERS IP

21:04:42.378245 arp who-has IP tell MY ROUTERS IP

21:04:42.378247 arp who-has IP tell MY ROUTERS IP

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20070611/7e5ff862/attachment-0001.html>

Craig Van Ham wrote:
>
> Does any one know if this is normal operating of ARP? Or where to 
> start looking?
>
> I am seeing a lot of ARP requests for my router IP from the same IP 
> within seconds.
>
I have seen this. Now I have to remember where!

I think that Netbios browser if configured for Wins-B mode does this. 
Unless there is a Wins server on the subnet.

Per the RFC, an implementation SHOULD maintain an ARP table entry for 10 
minutes from the last time of use (ie 10 minutes of inactivity).

The 10 minute value was determined by two teams of Comer's grad 
students: Which team could bring the DEC down, swap the Ethernet board, 
and get the system back up. The winning team did it in 10 minutes.

Ah, such practical engineering methodologies :)

Many implementation now NEVER age out ARP table entries. They are stuck 
there until they detect an ARP reply (sent out by many systems once they 
are up and running).

Craig Van Ham wrote:
>
> Hi all,
>
>  
>
> Does any one know if this is normal operating of ARP...  Or where to 
> start looking...
>
>  
>
> I am seeing a lot of ARP requests for my router IP from the same IP 
> within seconds.
>
>  
>
>  
>
> 21:04:41.112929 arp who-has IP tell MY ROUTERS IP
>
> 21:04:41.186354 arp who-has IP tell MY ROUTERS IP
>
> 21:04:41.372972 arp who-has IP tell MY ROUTERS IP
>
> 21:04:41.546921 arp who-has IP tell MY ROUTERS IP
>
> 21:04:41.640253 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.104746 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.208952 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.212961 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.304306 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.330411 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.331394 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.332737 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.332740 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.332742 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.332744 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.332746 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.332748 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.334763 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.342436 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.344443 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.350132 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.352140 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.358496 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.360168 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.360172 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.362177 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.362180 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.364189 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.366203 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.368200 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.369542 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.370208 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.370211 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.370877 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.372884 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.376232 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.376898 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.377233 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.377901 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.378242 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.378245 arp who-has IP tell MY ROUTERS IP
>
> 21:04:42.378247 arp who-has IP tell MY ROUTERS IP
>
Is this a Cisco 678???

-ed-
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20070611/512bbb2c/attachment-0001.html>

Craig Van Ham wrote:
>
> Does any one know if this is normal operating of ARP? Or where to 
> start looking?
>
> I am seeing a lot of ARP requests for my router IP from the same IP 
> within seconds.
>
>
> 21:04:41.112929 arp who-has IP tell MY ROUTERS IP
>
Get us the MAC address that is asking. This will give us the card 
manufacturer, which will then, perhaps tell you which system on your 
network is the culprit.

Bob Chiodini wrote:
>
>
> Robert Moskowitz wrote:
>> Craig Van Ham wrote:
>>>
>>> Does any one know if this is normal operating of ARP? Or where to 
>>> start looking?
>>>
>>> I am seeing a lot of ARP requests for my router IP from the same IP
>>> within seconds.
>>>
>>>
>>> 21:04:41.112929 arp who-has IP tell MY ROUTERS IP
>>>
>> Get us the MAC address that is asking. This will give us the card 
>> manufacturer, which will then, perhaps tell you which system on your 
>> network is the culprit.
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> It looks like it's his router that is asking and the requested device 
> is not responding.  Is the "who-has IP" address up and valid?
It would be interesting to know what IP address is being asked for. 

For example, this is the router asking, and of course the router's 
interface is statically configured, and the address it is looking for is 
either its:

The DNS server
The NTP server
The SYSLOG server
The COPS policy server (yeah, like anyone has implemented COPS and if 
they did, this would be an anycast)


The SYSLOG server has my bet, as a router, configured for remote 
syslogging will always have something to send to its syslog...