Re: ARP Problem ???

["Robert Moskowitz" <rgm@xxxxxxxxxxxxxxx>]

Craig Van Ham wrote:
> It's multiple IPs of clients on the network.
>   
Can you look at the ARP table in your router?
In your pervious note you only had one client address, but I believe you 
in your statement about multiple addresses.
If the ARP requests match what is in the ARP table then perhaps:

We are seeing keep-alives.
Do you see any traffic to the addresses from outside after an ARP response?
This COULD be Bell Canada (I did a look up on your address range at 
dnsstuff.com) checking out what your addresses are being used for.

If the addresses being ARPed are NOT in the ARP cache (and not addresses 
of clients systems) then perhaps:

Your router is being hit with attacks across your allocation range, and 
it is doing nothing more than trying to forward those attack packets inward.

So you want some information from your router. Is this just something 
your router is doing on its own, or is this due to an external event.
> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf
> Of Robert Moskowitz
> Sent: Tuesday, June 12, 2007 8:19 AM
> To: CentOS mailing list
> Subject: Re:  ARP Problem ???
>
> Bob Chiodini wrote:
>   
> > Robert Moskowitz wrote:
> >     
> > > Craig Van Ham wrote:
> > >       
> > > > Does any one know if this is normal operating of ARP. Or where to 
> > > > start looking.
> > > >
> > > > I am seeing a lot of ARP requests for my router IP from the same IP 
> > > > within seconds.
> > > >
> > > >
> > > > 21:04:41.112929 arp who-has IP tell MY ROUTERS IP
> > > >
> > > >         
> > > Get us the MAC address that is asking. This will give us the card 
> > > manufacturer, which will then, perhaps tell you which system on your 
> > > network is the culprit.
> > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS@xxxxxxxxxx
> > > http://lists.centos.org/mailman/listinfo/centos
> > >       
> > It looks like it's his router that is asking and the requested device 
> > is not responding.  Is the "who-has IP" address up and valid?
> >     
> It would be interesting to know what IP address is being asked for. 
>
> For example, this is the router asking, and of course the router's 
> interface is statically configured, and the address it is looking for is 
> either its:
>
> The DNS server
> The NTP server
> The SYSLOG server
> The COPS policy server (yeah, like anyone has implemented COPS and if 
> they did, this would be an anycast)
>
>
> The SYSLOG server has my bet, as a router, configured for remote 
> syslogging will always have something to send to its syslog...
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
>   
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos