I looked through RFC826 and it seems that the operation performed by Lars was a Bad Thing. RFC826 input processing explicitly suggests us to update ARP cache entry without checking arp operation type. therefore, it is unsafe to transmit ARP_REQUEST with spoofed IP source address - it will overwrite ARP entries of neighbors. itojun