From owner-freebsd-net@FreeBSD.ORG Tue Sep 3 23:11:16 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5F18519E for ; Tue, 3 Sep 2013 23:11:16 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-ea0-x22a.google.com (mail-ea0-x22a.google.com [IPv6:2a00:1450:4013:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E7DA623C8 for ; Tue, 3 Sep 2013 23:11:15 +0000 (UTC) Received: by mail-ea0-f170.google.com with SMTP id h14so3313342eak.15 for ; Tue, 03 Sep 2013 16:11:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=j/mxm7jOFeNNVhS9FnQWZP4Z11rtE651XlZowpdVlRM=; b=iWDLaA0vsU1FY6XQTApOco8rOiauQ7Db7n9aAyZLseUteNuoOO9KdkV21gYgFZ1Mic AlYLvoGzv1G5fzQ5ts/8tScI3efWUd3vT9ZGeTTd51dwXIf7mEGsmdikl5VsSSplIFnd RBv6pF4gr9aHka6l3Ep9nHHpMsElkUFhnQ1ee2KInX2CehBSSrwqtCi8EFO/sJK26+HZ Y2vrvVenTdOOlmxUK+tx4ngGZNV9Bn9+MwaUzT3IJh8qmdQdPtoVgYXK8OLwTAW0eTgQ XIL6JzgvnNkJGK7N1mk6630mqXbD7pxDg+U+EwojOeWsLd9miFjJufzW9+DaxH04AsrL 6o3A== MIME-Version: 1.0 X-Received: by 10.14.4.1 with SMTP id 1mr50103764eei.21.1378249874102; Tue, 03 Sep 2013 16:11:14 -0700 (PDT) Received: by 10.14.142.209 with HTTP; Tue, 3 Sep 2013 16:11:14 -0700 (PDT) Date: Tue, 3 Sep 2013 16:11:14 -0700 Message-ID: Subject: Question regarding security run output From: Kurt Buff To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 23:11:16 -0000 Over the three-day US weekend, I was working on some stuff, and found an interesting set of entries in the daily security run emails all three days. The output looks as follows: ntop.example.com kernel log messages: +++ /tmp/security.IUGsscCR 2013-08-26 03:02:24.000000000 -0700 +arp: unknown hardware address format (0x4500) (from 00:05:b7:de:cd:79 to 72:6e:61:6c:2c:70) +arp: unknown hardware address format (0x0100) (from 00:05:b7:de:cd:79 to 6c:3d:31:37:2c:6e) +arp: unknown hardware address format (0x4500) (from 00:05:b7:de:cd:a3 to 77:72:69:74:74:65) +arp: unknown hardware address format (0x0000) (from 00:05:b7:de:cd:71 to 2d:0d:0a:62:6f:64) This box is monitoring a mirror port on a procurve switch, using an unnumbered interface. My investigation led me to the engineering lab, and I'm querying them regarding the equipment, but I don't know what the above entries signal. Does anyone have a clue they can throw me on this? I also find it interesting that the MAC addresses are either unknown, or belong to Arbor Networks. We don't have any Arbor Networks equipment, though I suppose they could vend them to an OEM. I'm going to see if I can trace them down and get some idea of what's running around in that lab. Thanks, Kurt