From owner-freebsd-questions@FreeBSD.ORG Thu May 15 07:31:30 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88EF7106566B for ; Thu, 15 May 2008 07:31:30 +0000 (UTC) (envelope-from solskogen@carebears.mine.nu) Received: from spankme.voop.as (spankme.voop.as [62.97.243.75]) by mx1.freebsd.org (Postfix) with ESMTP id 257CD8FC1C for ; Thu, 15 May 2008 07:31:29 +0000 (UTC) (envelope-from solskogen@carebears.mine.nu) Received: from tenderheart.bgo.internal.umoecom.net ([192.168.10.88]) (authenticated bits=0) by spankme.voop.as (8.14.1/8.14.1) with ESMTP id m4F7FBTn013415 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 15 May 2008 09:15:12 +0200 (CEST) Message-ID: <482BE2BA.6050105@carebears.mine.nu> Date: Thu, 15 May 2008 09:14:02 +0200 From: Christer Solskogen User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Jon Radel References: <6.0.0.22.2.20080511190114.0264af00@mail.computinginnovations.com> <6.0.0.22.2.20080512153543.02665c88@mail.computinginnovations.com> <6.0.0.22.2.20080512163401.026387f8@mail.computinginnovations.com> <6.0.0.22.2.20080514131710.025269f0@mail.computinginnovations.com> <482B6875.6070005@radel.com> <482B6F21.2040602@radel.com> In-Reply-To: <482B6F21.2040602@radel.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.62 on 62.97.243.75 X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (spankme.voop.as [62.97.243.75]); Thu, 15 May 2008 09:15:13 +0200 (CEST) Cc: freebsd-questions@freebsd.org Subject: Re: arplookup 0.0.0.0 failed: host is not on local network X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 07:31:30 -0000 Jon Radel wrote: > to see what you can catch. > First of all, thanks for taking time to help me on this. [root@shine ~]# tcpdump -vvv -n -l -e arp tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes 08:58:46.337968 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:58:46.337974 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 08:59:46.842884 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:59:46.842890 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:00:47.349826 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:00:47.349833 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:01:47.854742 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:01:47.854748 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:02:48.359670 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:02:48.359677 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:03:48.864618 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:03:48.864624 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:04:49.370546 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:04:49.370551 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 There is this line saying: 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff and nothing has ff:ff:ff:ff:ff:ff as a mac address :) [root@shine ~]# tcpdump -vvv -n -l -e -s 128 arp or ip | grep 0.0.0.0 tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 128 bytes 09:10:51.405030 00:18:f3:29:d8:15 > 00:01:c0:03:7c:09, ethertype IPv4 (0x0800), length 66: (tos 0x10, ttl 64, id 58427, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->6565)!) 192.168.0.3.22 > 62.97.242.6.61121: ., cksum 0xf139 (incorrect (-> 0x5ca1), 13136:13136(0) ack 481 win 8320 09:11:42.703020 00:01:c0:03:7c:09 > 00:18:f3:29:d8:15, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 53, id 17642, offset 0, flags [DF], proto TCP (6), length 52) 82.137.33.24.35497 > 192.168.0.3.52332: ., cksum 0x7181 (correct), 938:938(0) ack 843885 win 65160 09:11:51.809030 00:01:c0:03:7c:09 > 00:18:f3:29:d8:15, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 53, id 19037, offset 0, flags [DF], proto TCP (6), length 52) 82.137.33.24.35497 > 192.168.0.3.52332: ., cksum 0x2a5b (correct), 1135:1135(0) ack 982794 win 65160 $ arp -a hugs.carebears.lan (192.168.0.1) at 00:01:c0:03:7c:09 on nfe0 [ethernet] shine (192.168.0.3) at 00:18:f3:29:d8:15 on nfe0 permanent [ethernet] funshine.carebears.lan (192.168.0.12) at 00:1d:60:36:34:a6 on nfe0 [ethernet] ? (192.168.0.255) at ff:ff:ff:ff:ff:ff on nfe0 permanent [ethernet] I'll take you tip on shutting down one machine at a time to see which machine who do this. Somehow I suspect my Windows 2008 Server box :) -- chs