Le lun 02/12/2002 à 21:28, andre.correa@pobox.com a écrit : > But there is still a question for me. Looking at my arp table, I > see that there are =~ 150 entries, seconds passing and more entries > coming, 20 seconds after I can have =~1100, it goes on until it reachs > =~2200 entries, then it goes back to the =~100 and starts over again. Wierd... > I have less then 50 NAT users. Is it normal to have some many ARP > entries with this variation? Looking the ARP table I see my "Internet" > interface with lots of entries, with internet host IP addresses and my > gateway's NIC MAC address. > Isn't ARP supposed to keep entries just to local network systems? Yes it is. ARP is supposed to keep track of IP/MAC associations for network directly routed to interface, i.e. directly connected, aka local LANs. > Is it all normal? And if so, how big can gc_threash[1,2,3] be? It is not normal. You should monitor ARP traffic on your network using arpwatch (see Freshmeat, available as .deb, .rpm too) to see if someone would be playing ARP cache poisoning (see http://www.arp-sk.org/). -- Cédric Blancher <blancher@cartel-securite.fr> IT systems and networks security expert - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
