Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Sep 1996 10:33:24 -0500 (CDT)
From:      dnelson@emsphone.com (Dan Nelson)
To:        deischen@iworks.InterWorks.org (Daniel M. Eischen)
Cc:        paul@nation-net.com, questions@freebsd.org
Subject:   Re: arp info overwritten
Message-ID:  <199609041533.KAA08591@dan.emsphone.com>
In-Reply-To: <9609041351.AA12869@iworks.InterWorks.org> from "Daniel M. Eischen" at Sep 4, 96 08:51:59 am
next in thread | previous in thread | raw e-mail | index | archive | help 

in the last episode, Daniel M. Eischen said:
> > Is this message anything to worry about?
> > The 2 IPs are machines in our class C.
> >
> >  arp info overwritten for 194.159.125.100 by 00:05:02:44:5f:d1
> >  arp info overwritten for 194.159.125.110 by 00:05:02:54:3f:54
> 
> Well, it depends on if you use those machines or not ;-)
> 
> We've got a couple of FreeBSD PCs sitting in a building full of PCs
> and Macs in the same subnet.  We see this happen at least once a
> month and logged by our FreeBSD PCs.  Usually we can determine which
> machines are at fault by using tcpdump on the affected ethernet MAC
> addresses and by browsing shared DIRs (and similar
> [...]
> I don't know any other way of doing it (unless the adminstrators have
> a list of all the machines and their MAC addresses).  Maybe there's a
> better way?

If you keep a list of the ethernet addresses of all your machines in
/etc/ethers, the following patch will let the arp command display
ethernet addresses symbolically.  Then you can ping your broadcast
address to fill your route/arp table, and display the results with arp
-a.  A similar patch could probably be made to netstat (for the -r
output).

for example, my machine arps as

dan.emsphone.com (199.67.51.101) at E_dan permanent

since in /etc/ethers, I have

00:00:c0:ed:34:c7	E_dan

	-Dan Nelson
	dnelson@emsphone.com

--- /usr/src/usr.sbin/arp/arp.c	Thu Feb  8 15:05:52 1996
+++ /usr/tmp/arp.c	Mon Jul 29 18:07:03 1996
@@ -441,10 +441,18 @@
 	}
 }
 
+/*
+ * Print an ethernet address in symbolic form, or numeric if there is no name
+ */
 void
 ether_print(u_char *cp)
 {
+	char name[100];
+
+	if (ether_ntohost(name, cp))
 		printf("%x:%x:%x:%x:%x:%x", cp[0], cp[1], cp[2], cp[3], cp[4], cp[5]);
+	else
+		printf("%s", name);
 }
 
 int

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609041533.KAA08591>