Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 4 Jun 1999 10:53:35 -0400 (EDT)
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        klui@cup.hp.com (Ken Lui)
Cc:        dwhite@resnet.uoregon.edu, questions@FreeBSD.ORG
Subject:   Re: Question about arp entry in /var/log/messages
Message-ID:  <199906041453.KAA03219@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <199906040728.AAA29672@cup44ux.cup.hp.com> from Ken Lui at "Jun 4, 99 00:28:33 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
Ken Lui wrote,
> >From dwhite@resnet.uoregon.edu Thu Jun  3 23:52:39 PDT 1999
> 
> Doug,
> 
> I must thank you for having the patience in helping me get to the
> root of my problems.
> 
> > > I've run two tcpdumps per interface and with the exception of some
> > > items at the beginning and the numbers after the timestamp, they're
> > > the same. Looks like both interfaces are seeing packets on net 10
> > > and net 15. Here are the entries that show up under both dumps after
> > > the following entry ends up in /var/log/messages:
> > > Jun  1 21:14:05 black /kernel: arp: 10.0.0.1 is on lo0 but got reply from
> > >    00:80:c8:fd:88:0d on ed1
> > 
> > _lo0_?  Hm!  Can I see ifconfig -a, please?  Try to keep the whole message
> > around since I'm trying to keep track of this.

lo0 should be there. What is strange is that ed1 is hearing things for
10.0.0.1.

> Yeah, I thought about that but did so after I sent the last reply.
> 
> ifconfig -a
> ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 15.75.136.174 netmask 0xfffff800 broadcast 15.75.143.255
>         ether 00:80:c8:fd:90:ae 
> ed2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
>         ether 00:80:c8:fd:88:0d 
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet 127.0.0.1 netmask 0xff000000 
> 
> > Do you have proxy arp turned on in the cisco?
> 
> I checked it and it doesn't have proxy arp capability. I did notice
> that its netmask is incorrect for its IP. IT did this for me so I
> never questioned it. Changing its netmask didn't eliminate those
> entries. The frustrating thing is these messages are have a certain
> delay before they show up in /var/log/messages.
> 
> Odd how after I've ping'ed some of these IPs, I get the following
> with netstat -nr
> 
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags     Refs     Use     Netif Expire
> default            15.75.136.169      UGSc        4       13      ed1
> 10/24              link#2             UC          0        0      ed2
> 10.0.0.1           0:80:c8:fd:88:d    UHLW        0       28      lo0
> 10.0.0.2           link#2             UHLW        0        2      ed2
> 10.0.0.3           link#2             UHLW        0        2      ed2
> 10.0.0.4           8:0:7:6f:1d:fe     UHLW        0       15      ed2    828
> 15.75.136/21       link#1             UC          0        0      ed1
> 15.75.136.169      0:40:f9:13:69:d5   UHLW        5        4      ed1    764
> 15.75.136.174      0:80:c8:fd:90:ae   UHLW        0       24      lo0
> 127.0.0.1          127.0.0.1          UH          1        4      lo0
> 
> So somehow, lo0 is receiving messages which ed1 and ed2 should be
> receiving.

That is correct behavior. The addresses to the loopback are the
addresses of the machine's own interfaces. That netstat looks almost
exactly like it should. As a point of reference, the machine I am on
now has two interfaces, here are the netstat -rn entries,

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
default            aaa.bbb.ccc.1      UGSc        4    18440      fxp0
127.0.0.1          127.0.0.1          UH          1     2509       lo0
192.168            link#2             UC          0        0 
192.168.0.1        0:a0:c9:22:93:d0   UHLW        0        2       lo0
192.168.0.2        0:aa:0:a5:af:91    UHLW        2     8392      fxp1     59
192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWb       1      352      fxp1
aaa.bbb.ccc        link#1             UC          0        0 
aaa.bbb.ccc.1      0:e0:1e:3e:40:0    UHLW        3        0      fxp0    778
aaa.bbb.ccc.2      0:aa:0:6f:d7:28    UHLW        3    37287      fxp0    607
aaa.bbb.ccc.5      0:10:5a:18:44:67   UHLW        0        0      fxp0   1132
aaa.bbb.ccc.6      0:a0:c9:23:b:ad    UHLW        0     2990      fxp0   1077
aaa.bbb.ccc.10     8:0:69:7:40:16     UHLW        4   331675      fxp0    483
aaa.bbb.ccc.102    0:90:27:13:9e:cf   UHLW        0        4      fxp0   1147
aaa.bbb.ccc.111    0:a0:c9:27:53:d6   UHLW        0        2      fxp0   1118
aaa.bbb.ccc.148    0:a0:c9:9d:f1:c    UHLW        0        2      fxp0    925
aaa.bbb.ccc.154    0:a0:c9:27:f:5e    UHLW        0        4      fxp0   1002
aaa.bbb.ccc.194    0:90:27:10:a:8b    UHLW        0        2      fxp0   1150
aaa.bbb.ccc.204    0:90:27:13:ae:7e   UHLW        0   130918       lo0
aaa.bbb.ccc.206    0:60:97:8a:4d:68   UHLW        0        2      fxp0   1069
aaa.bbb.ccc.214    0:aa:0:bb:2b:5e    UHLW        0        2      fxp0    926
aaa.bbb.ccc.255    ff:ff:ff:ff:ff:ff  UHLWb       2     2234      fxp0

Note the loopback addresses for the machine's own interfaces. Also note
the broadcast addresses... *shrug* dunno where yours are.

> Maybe a dumb and naive question but... when I was running Linux I
> didn't have to run gated or routed. Should I be running it?

You shouldn't need it for simple, static routing like this.

> > > 21:14:05.461124 arp who-has green.tmpest1.org tell black.tmpest1.org
> > > 21:14:05.461600 arp reply green.tmpest1.org is-at 8:0:7:6f:1d:fe
> > 
> > Is this the proper ether addr for green?
> 
> Yes, I've confirmed that its ethernet address is correct.
> 
> > > The beginning of ed1 (net 15) has the following when I first
> > > establish a connection to my router (start of dump):
> > > 21:10:28.449996 ce573230.cup.hp.com.iad3 > 15.75.12.3.domain: 1784+ (37)
> > > 21:10:29.390619 ce573230.cup.hp.com.1033 > 15.75.12.3.domain: 23899+ (43)
> > 
> > Lots of DNS lookups but no responses. 
> > 
> > > While ed2 (net 10) has the following (start of dump):
> > > 21:11:48.500727 ce573230.cup.hp.com.1040 > 15.75.12.3.domain: 1785+ (60)
> > > 21:11:48.572032 ce573230.cup.hp.com.1041 > 15.75.12.3.domain: 6263+ (43)
> > 
> > ?? What is that stuff going that way?

When you run tcpdump for this stuff, use the -n option. That way, we
can see which interfaces are being used rather than the name of a
machine that might have multiple interfaces.

> > Let me clarify this.  The interfaces are listed next to the IPs they're
> > assigned, if I'm getting you right.
> 
> Yes. For instance, ce573230 should be on ed1, black should be on ed2.
> However, green is multi-homed with 1 ethernet interface so it really
> rests on both ed1's and ed2's network; but the confusing thing for
> me is they both share one wire.

Whoa. Did you just say ed1 and ed2 are on the same wire? You _will_
have trouble if two interfaces on one machine share a wire. There is
no really good reason I am aware of to ever have that situation. 
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906041453.KAA03219>