From owner-freebsd-security@FreeBSD.ORG  Sun Jan 18 11:19:24 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E1FCC16A4CE; Sun, 18 Jan 2004 11:19:24 -0800 (PST)
Received: from vulcan.blacksburg.net (vulcan.blacksburg.net [66.208.157.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2277243D1F; Sun, 18 Jan 2004 11:19:21 -0800 (PST)
	(envelope-from mlevans@blacksburg.net)
X-Envelope-From: mlevans@blacksburg.net
Received: from p0ts1.blacksburg.net (pluto.blacksburg.net [66.208.157.5])
	i0IJJJDW018829;	Sun, 18 Jan 2004 14:19:20 -0500 (EST)
	(envelope-from mlevans@blacksburg.net)
Message-Id: <5.1.0.14.0.20040118141604.07e86c80@pop.blacksburg.net>
X-Sender: mlevans@pop.blacksburg.net
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Sun, 18 Jan 2004 14:19:17 -0500
To: freebsd-security@freebsd.org
From: Lyle Evans <mlevans@blacksburg.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
cc: freebsd-questions@freebsd.org
Subject: Re: arp problem in /var/log/messages
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2004 19:19:25 -0000

At 07:14 AM 01/18/04, you wrote:
>hi all, i got flooded by these msgs like 1000+ lines, any idea?
>my kernel is dated Nov-30 FreeBSD 4.9-stable
>
># tail -f /var/log/messages
>Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
>to 00:50:0f:4f:c0:00 on rl0
>Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
>to 00:04:5a:49:eb:74 on rl0
>Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
>to 00:50:0f:4f:c0:00 on rl0
>Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from 00:50:0f:4f:c0:00
>to 00:04:5a:49:eb:74 on rl0
>Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from 00:04:5a:49:eb:74
>to 00:50:0f:4f:c0:00 on rl

You have a Linksys and Cisco device fighting over a IP address either
they both think they own the address or one or maybe both are proxy arping
for the address. The fields 00:04:5a:49:eb:74 & 00:50:0f:4f:c0:00 are
the ethernet address of the Linksys and Cisco devices respectively.

Regards,
Lyle Evans
evansl@rackears.com
rackmount brackets for many networking and ISP equipment chassises
http://www.rackears.com