From owner-freebsd-security@FreeBSD.ORG Sun Jan 18 08:08:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 091CC16A4CE for ; Sun, 18 Jan 2004 08:08:42 -0800 (PST) Received: from mx1-b.inoc.net (mx1-b.inoc.net [64.246.131.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id D34C343D4C for ; Sun, 18 Jan 2004 08:08:39 -0800 (PST) (envelope-from doon@inoc.net) Received: from doon.labratsoftware.home (24.25.150.43 [24.25.150.43]) by mx1-b.inoc.net (build v4.0.9) with ESMTP id 5038588 for multiple; Sun, 18 Jan 2004 11:08:38 -0500 From: Patrick Muldoon Organization: INOC To: Maciej Cetler , Spades Date: Sun, 18 Jan 2004 11:07:32 -0500 User-Agent: KMail/1.5.4 References: <09bd01c3ddbc$9f829070$fa10fea9@bryanuptrvb0jc> <20040118153512.GA23872@lazir.toya.net.pl> In-Reply-To: <20040118153512.GA23872@lazir.toya.net.pl> X-Powered-By: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_I9qCAn0XlpFD6SV"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200401181107.36732.doon@inoc.net> X-Mailman-Approved-At: Mon, 19 Jan 2004 02:15:11 -0800 cc: freebsd-security@freebsd.org Subject: Re: arp problem in /var/log/messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 16:08:42 -0000 --Boundary-02=_I9qCAn0XlpFD6SV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 18 January 2004 10:35 am, Maciej Cetler wrote: > On Sun, Jan 18, 2004 at 08:14:29PM +0800, Spades wrote: > > hi all, i got flooded by these msgs like 1000+ lines, any idea? > > my kernel is dated Nov-30 FreeBSD 4.9-stable > > > > # tail -f /var/log/messages > > Jan 18 19:43:23 xb /kernel: arp: 202.79.180.1 moved from > > 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 > > Jan 18 19:45:06 xb /kernel: arp: 202.79.180.1 moved from > > 00:50:0f:4f:c0:00 to 00:04:5a:49:eb:74 on rl0 > > Jan 18 19:45:18 xb /kernel: arp: 202.79.180.1 moved from > > 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 > > Jan 18 19:45:41 xb /kernel: arp: 202.79.180.1 moved from > > 00:50:0f:4f:c0:00 to 00:04:5a:49:eb:74 on rl0 > > Jan 18 19:45:45 xb /kernel: arp: 202.79.180.1 moved from > > 00:04:5a:49:eb:74 to 00:50:0f:4f:c0:00 on rl0 > > looks like someone is using tools like ettercap. > > airot is .1 your gateway? =20 00:50:0f is a Cisco Adaptor 00:04:5a is a linksys Adaptor What type of network are you on? IE is this your network? or is a say a=20 cablemodem network? =20 check out http://www.dslreports.com/forum/remark,8225369~mode=3Dflat, which= is=20 basically about this same issue and perhaps might shed some light on the=20 problem. =20 If they where both Cisco Nic's it could be HSRP? Hope that helps, =2DPatrick =2D-=20 Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C micro$oft: "where do you want to go today?"=20 linux: "where do you want to go tomorrow?"=20 BSD: "are you guys coming, or what?" --Boundary-02=_I9qCAn0XlpFD6SV Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBACq9IYGp9wTcNdSwRAmh9AJ9EAamCOsFqLjpdJRQ0foAhOtJVxwCeLmkh qrrrc21gDWCygqBqfCT0174= =QxzU -----END PGP SIGNATURE----- --Boundary-02=_I9qCAn0XlpFD6SV--