From owner-freebsd-questions@freebsd.org Mon Oct 31 09:47:48 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D581C2861A for ; Mon, 31 Oct 2016 09:47:48 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D9DB1D11 for ; Mon, 31 Oct 2016 09:47:48 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 4AADA1A55 for ; Mon, 31 Oct 2016 09:47:44 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/4AADA1A55; dkim=none; dkim-atps=neutral Subject: Re: "arp: moved" messages with bogus MAC addresses To: freebsd-questions@freebsd.org References: From: Matthew Seaman Message-ID: <47fb8c94-eef3-f05f-3468-f3d194624ebb@freebsd.org> Date: Mon, 31 Oct 2016 09:47:31 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="H8IsofIINRKnWHPhF2dBes1neWHBPCAl4" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2016 09:47:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --H8IsofIINRKnWHPhF2dBes1neWHBPCAl4 Content-Type: multipart/mixed; boundary="gohmXDegJS1A5JjNkODqpTlSu2kQlSMkG"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: <47fb8c94-eef3-f05f-3468-f3d194624ebb@freebsd.org> Subject: Re: "arp: moved" messages with bogus MAC addresses References: In-Reply-To: --gohmXDegJS1A5JjNkODqpTlSu2kQlSMkG Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 10/31/16 08:43, Christian Ullrich wrote: > I see a lot of messages like these in the logs of my 11-STABLE VMs > (running on VMware ESXi 6): >=20 > arp: 192.168.92.20 moved from 20:90:f1:53:01:f8 to 00:90:fb:1b:7d:cd on= em0 > arp: 192.168.92.20 moved from 20:90:f1:53:01:f8 to 00:90:fb:1b:7d:cd on= em0 > arp: 192.168.92.20 moved from 20:90:f1:53:01:f8 to 00:90:fb:1b:7d:cd on= em0 > arp: 192.168.92.20 moved from 20:90:f1:53:01:f8 to 00:90:fb:1b:7d:cd on= em0 >=20 > I have no idea what causes these. The "to" MAC is correct for this IP, > but the "from" is completely bogus. I have tcpdump'ed the network until= > two of these logs appeared, and the 20:90:f1 address never showed up; i= n > fact, the byte pattern did not appear once anywhere in the dump. This > should exclude the possibility of some weird VMware-related thing going= > on. I see exactly the same thing with VirtualBox -- this is something to do with the way these virtualization systems provide network access within the host system. Normally this message would indicate that two machines on your network had been setup with the same IP number, so it's generally a good thing to have logged. In this case however, the IP switching around between MAC addresses seems to be normal for the virtualization environment. You should be able to suppress the mesages by: # sysctl net.link.ether.inet.log_arp_movements=3D0 -- add "net.link.ether.inet.log_arp_movements=3D0" to /etc/sysctl.conf to= have that set automatically on boot. Cheers, Matthew --gohmXDegJS1A5JjNkODqpTlSu2kQlSMkG-- --H8IsofIINRKnWHPhF2dBes1neWHBPCAl4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYFxM6AAoJEABRPxDgqeTn/DIP/20CHXBd0OOodTTpODvB9/13 l58McBQgKd1MEbbVLzuWF4gpaYMXi/3JjYH/nq1R4Ly4sdm1Q9O15VTvo46NIUwM sXkMUaNo2O9fOnn2F6dj9v4EiV4lg9SDp3DHHDTW4LPpb1/uXfh0jbDykRH4J6pm VPKFQbDI5aa/aM03dOePyzHzBUlafMrpFWEnYaXwhurqTbYw4FJeBsFmoBrtgZ6n fo7fYJAOfPtCAoHzZEVi7FvCtGhRmXtpk1Kjq/7QYwKWHS4Tl9To0zorMORO+RxG DiRR2kWUKJWO3yawcp6WFjeFRAeVLx4ZrxVEgN93VRz7m0ItygcqiwGm4RZV38Hv zvKVUSzMCKlaK9qr33kKhTgeYOLtkez9JAlMMu1Wmc+L/F6hSsZ5tPf3YiKYhjoy Mh5t2fuW4SqQ+WmlQRVD6Axu87XCa4JX+qO827yrN/B34PB4DVUogZt6YzG5GUpc 338YALd3HTevBjNJj2WTz1/VvNFf5a70Jvc19KMdBlm3AGVNsnIEEeTd+kCnwdnd A/X9xGm+bjHs7UW3dGJlDtTVpeV0BW3R/1ckCEJmG7hLG21dkxjHB7rJgl98OvZX ZAIfP402yrlZW0b2q+lO4Ebs1IhTkTKwaMtZRwZHkUXDDa/Y+kOs3+ttLsUtYrTj qDUJmi/HD9xeVlzaLPRL =LqkD -----END PGP SIGNATURE----- --H8IsofIINRKnWHPhF2dBes1neWHBPCAl4--