thr3ads.net - freebsd security - arp problem in /var/log/messages [Jan 2004]

If this information is useful, please help other people find it:
Share via:

Spades

2004-Jan-18 04:14 UTC

arp problem in /var/log/messages

hi all, i got flooded by these msgs like 1000+ lines, any idea?
my kernel is dated Nov-30 FreeBSD 4.9-stable

# tail -f /var/log/messages
Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
to 00:50:0f:4f:c0:00 on rl0
Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
to 00:04:5a:49:eb:74 on rl0
Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
to 00:50:0f:4f:c0:00 on rl0
Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
to 00:04:5a:49:eb:74 on rl0
Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
to 00:50:0f:4f:c0:00 on rl0

thanks and regards,

John

Dan Airinen

2004-Jan-18 05:56 UTC

head link

arp problem in /var/log/messages

Hi,

you might want to check that you dont have a two machines/devices in your
network sharing the same IP-address.

Of course there is a possibility of some one doing sniffing in your
network.

On Sun, 18 Jan 2004, Spades wrote:
> hi all, i got flooded by these msgs like 1000+ lines, any idea?
> my kernel is dated Nov-30 FreeBSD 4.9-stable
>
> # tail -f /var/log/messages
> Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
> Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
> to 00:04:5a:49:eb:74 on rl0
> Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
> Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
> to 00:04:5a:49:eb:74 on rl0
> Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
>
> thanks and regards,
>
> John
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>

Maciej Cetler

2004-Jan-18 07:35 UTC

head link

arp problem in /var/log/messages

On Sun, Jan 18, 2004 at 08:14:29PM +0800, Spades wrote:> hi all, i got flooded by these msgs like 1000+ lines, any idea?
> my kernel is dated Nov-30 FreeBSD 4.9-stable
> 
> # tail -f /var/log/messages
> Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
> Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
> to 00:04:5a:49:eb:74 on rl0
> Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
> Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
> to 00:04:5a:49:eb:74 on rl0
> Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
looks like someone is using tools like ettercap.

airot

jan.muenther@nruns.com

2004-Jan-18 08:00 UTC

head link

arp problem in /var/log/messages

> 
> looks like someone is using tools like ettercap.
It could either be that - ARP cache poisoning - or some sort of clustering
software which uses changing MAC addresses (seen that).

horio shoichi

2004-Jan-18 10:44 UTC

head link

arp problem in /var/log/messages

On Sun, 18 Jan 2004 20:14:29 +0800
"Spades" <spades@galaxynet.org> wrote:> hi all, i got flooded by these msgs like 1000+ lines, any idea?
> my kernel is dated Nov-30 FreeBSD 4.9-stable
> 
> # tail -f /var/log/messages
> Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
> Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
> to 00:04:5a:49:eb:74 on rl0
> Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
> Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
> to 00:04:5a:49:eb:74 on rl0
> Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
> to 00:50:0f:4f:c0:00 on rl0
> 
> thanks and regards,
> 
> John
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
> 
# sysctl net.link.ether.inet.log_arp_wrong_iface=1

should mask the messages.



horio shoichi

Lyle Evans

2004-Jan-18 11:20 UTC

head link

arp problem in /var/log/messages

At 07:14 AM 01/18/04, you wrote:>hi all, i got flooded by these msgs like 1000+ lines, any idea?
>my kernel is dated Nov-30 FreeBSD 4.9-stable
>
># tail -f /var/log/messages
>Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
>to 00:50:0f:4f:c0:00 on rl0
>Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
>to 00:04:5a:49:eb:74 on rl0
>Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
>to 00:50:0f:4f:c0:00 on rl0
>Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
>to 00:04:5a:49:eb:74 on rl0
>Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
>to 00:50:0f:4f:c0:00 on rl
You have a Linksys and Cisco device fighting over a IP address either
they both think they own the address or one or maybe both are proxy arping
for the address. The fields 00:04:5a:49:eb:74 & 00:50:0f:4f:c0:00 are
the ethernet address of the Linksys and Cisco devices respectively.

Regards,
Lyle Evans
evansl@rackears.com
rackmount brackets for many networking and ISP equipment chassises
http://www.rackears.com

Mark

2004-Jan-20 20:24 UTC

head link

arp problem in /var/log/messages

But what causes them ? I get them too.

> On Sun, 18 Jan 2004 20:14:29 +0800
> "Spades" <spades@galaxynet.org> wrote:
> > hi all, i got flooded by these msgs like 1000+ lines, any idea?
> > my kernel is dated Nov-30 FreeBSD 4.9-stable
> >
> > # tail -f /var/log/messages
> > Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from
00:04:5a:49:eb:74> > to 00:50:0f:4f:c0:00 on rl0
> > Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from
00:50:0f:4f:c0:00> > to 00:04:5a:49:eb:74 on rl0
> > Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from
00:04:5a:49:eb:74> > to 00:50:0f:4f:c0:00 on rl0
> > Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from
00:50:0f:4f:c0:00> > to 00:04:5a:49:eb:74 on rl0
> > Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from
00:04:5a:49:eb:74> > to 00:50:0f:4f:c0:00 on rl0
> >
> > thanks and regards,
> >
> > John
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"> >
>
> # sysctl net.link.ether.inet.log_arp_wrong_iface=1
>
> should mask the messages.
>
>
>
> horio shoichi
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org">

Bjoern A. Zeeb

2004-Jan-20 22:01 UTC

head link

arp problem in /var/log/messages

On Tue, 20 Jan 2004, Mark wrote:
> But what causes them ? I get them too.
one host, two NICs same braodcast domain ?

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
56 69 73 69 74				http://www.zabbadoz.net/

Seemingly Similar Threads

Search for more possibly parallel threads

freebsd security - Jan 2004 - arp problem in /var/log/messages

arp problem in /var/log/messages

arp problem in /var/log/messages

arp problem in /var/log/messages

arp problem in /var/log/messages

arp problem in /var/log/messages

arp problem in /var/log/messages

arp problem in /var/log/messages

arp problem in /var/log/messages

Seemingly Similar Threads