On Tue, Dec 03, 2002 at 02:08:54PM +0100, Cedric Blancher wrote: > Le lun 02/12/2002 à 21:28, andre.correa@pobox.com a écrit : > > But there is still a question for me. Looking at my arp table, I > > see that there are =~ 150 entries, seconds passing and more entries > > coming, 20 seconds after I can have =~1100, it goes on until it reachs > > =~2200 entries, then it goes back to the =~100 and starts over again. > > Wierd... Weird, certainly... haven't seen anything like this before. <snip> > It is not normal. You should monitor ARP traffic on your network using > arpwatch (see Freshmeat, available as .deb, .rpm too) to see if someone > would be playing ARP cache poisoning (see http://www.arp-sk.org/). I haven't looked at arpwatch recetly, but presumably that will just scream blue bloody murder. What does tcpdump -npevvvi <<interface>> arp look like? The original paragraph of: > > I have less then 50 NAT users. Is it normal to have some many ARP > > entries with this variation? Looking the ARP table I see my "Internet" > > interface with lots of entries, with internet host IP addresses and my > > gateway's NIC MAC address. Isn't quite as clear as required. Andre, any chance you could cut and paste a few examples, so we can try to understand the symptoms a bit better? -- FunkyJesus System Administration Team
