At the moment in my network, about 1500 users exist. After getting neighbour table overflow messages, I increase net.ipv4.neigh.default.gc_thresh3 to 30000 suddenly I get an arp table size of 8000 entries. Most of the entries are Incomplete-Failed entries like "? (10.8.223.31) at <incomplete> on eth4" When I tcpdump on the interface with 10.8 IP subnet: # tcpdump -e -i eth4 -nn arp 10:18:48.131616 00:15:17:88:e3:b9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 10.8.233.194 tell 212.156.156.156 10:18:48.150625 00:15:17:88:e3:b9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 10.8.86.188 tell 212.156.156.156 ... Lots of arp whois exist. Interesting thing is all of them seems originating from my own machine. 00:15:17:88:e3:b9 is the mac address of eth4 which has 10.8.0.1 IP address. I checked machine for any scanner. No scanner is running. The IP shown as 212.156.156.156 is the IP addresss which is on eth1. This is also interesting. some kernel variables are: net.ipv4.conf.all.arp_accept = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.proxy_arp = 0 Can you show me some hint about the problem? Best Regards, Oğuz Yılmaz -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
