Date: Thu, 15 May 2008 09:14:02 +0200 From: Christer Solskogen <solskogen@carebears.mine.nu> To: Jon Radel <jon@radel.com> Cc: freebsd-questions@freebsd.org Subject: Re: arplookup 0.0.0.0 failed: host is not on local network Message-ID: <482BE2BA.6050105@carebears.mine.nu> In-Reply-To: <482B6F21.2040602@radel.com> References: <g07lip$736$1@ger.gmane.org> <6.0.0.22.2.20080511190114.0264af00@mail.computinginnovations.com> <g09t4u$ads$1@ger.gmane.org> <g0a0aa$lip$1@ger.gmane.org> <6.0.0.22.2.20080512153543.02665c88@mail.computinginnovations.com> <g0aa89$q0p$1@ger.gmane.org> <6.0.0.22.2.20080512163401.026387f8@mail.computinginnovations.com> <g0ei1m$r0a$1@ger.gmane.org> <6.0.0.22.2.20080514131710.025269f0@mail.computinginnovations.com> <g0fms3$8qs$1@ger.gmane.org> <482B6875.6070005@radel.com> <482B6F21.2040602@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jon Radel wrote: > to see what you can catch. > First of all, thanks for taking time to help me on this. [root@shine ~]# tcpdump -vvv -n -l -e arp tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes 08:58:46.337968 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:58:46.337974 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 08:59:46.842884 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:59:46.842890 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:00:47.349826 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:00:47.349833 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:01:47.854742 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:01:47.854748 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:02:48.359670 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:02:48.359677 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:03:48.864618 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:03:48.864624 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:04:49.370546 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:04:49.370551 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 There is this line saying: 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff and nothing has ff:ff:ff:ff:ff:ff as a mac address :) [root@shine ~]# tcpdump -vvv -n -l -e -s 128 arp or ip | grep 0.0.0.0 tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 128 bytes 09:10:51.405030 00:18:f3:29:d8:15 > 00:01:c0:03:7c:09, ethertype IPv4 (0x0800), length 66: (tos 0x10, ttl 64, id 58427, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->6565)!) 192.168.0.3.22 > 62.97.242.6.61121: ., cksum 0xf139 (incorrect (-> 0x5ca1), 13136:13136(0) ack 481 win 8320 <nop,nop,timestamp 1359099282 347410448> 09:11:42.703020 00:01:c0:03:7c:09 > 00:18:f3:29:d8:15, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 53, id 17642, offset 0, flags [DF], proto TCP (6), length 52) 82.137.33.24.35497 > 192.168.0.3.52332: ., cksum 0x7181 (correct), 938:938(0) ack 843885 win 65160 <nop,nop,timestamp 4052665 1969055395> 09:11:51.809030 00:01:c0:03:7c:09 > 00:18:f3:29:d8:15, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 53, id 19037, offset 0, flags [DF], proto TCP (6), length 52) 82.137.33.24.35497 > 192.168.0.3.52332: ., cksum 0x2a5b (correct), 1135:1135(0) ack 982794 win 65160 <nop,nop,timestamp 4053576 1969064662> $ arp -a hugs.carebears.lan (192.168.0.1) at 00:01:c0:03:7c:09 on nfe0 [ethernet] shine (192.168.0.3) at 00:18:f3:29:d8:15 on nfe0 permanent [ethernet] funshine.carebears.lan (192.168.0.12) at 00:1d:60:36:34:a6 on nfe0 [ethernet] ? (192.168.0.255) at ff:ff:ff:ff:ff:ff on nfe0 permanent [ethernet] I'll take you tip on shutting down one machine at a time to see which machine who do this. Somehow I suspect my Windows 2008 Server box :) -- chs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?482BE2BA.6050105>