Bad ARP from dual-NIC Linux

J. Westfall jimbo1@u.washington.edu
Sun Dec 5 13:06:08 1999


i did a tcpdump -i eth0 'arp' like you suggested. here is some interesting
output.

10:48:27.831673 arp who-has bitstreamx tell beefyx
10:48:27.831987 arp reply bitstreamx is-at 0:60:97:df:b7:c7
10:48:27.832287 arp reply bitstreamx is-at 0:a0:c9:49:8a:2c
10:48:35.128120 arp who-has bitstreamx tell 192.168.1.128  
10:48:35.128742 arp reply bitstreamx is-at 0:a0:c9:49:8a:2c

bitstreamx is our 192.168.1.1 address for the ip masq setup and is
actually bound to eth1 which is the eepro nic and its MAC is
00:A0:C9:49:8A:2C. but from this tcpdump it looks like eth0 (3c905) is
also reply to this arp request when beefyx asks who bitstreamx is.  very
odd.

Jim Westfall

> I have two linux routers which each have 3 dual-port 8859 eepro cards.
> Similarly to your setup, each has 1 connection to the outside world and
> the other ports provide one connection per router to each of my subnets.
> I had a look around at the arp tables on some of my host machines, but
> I couldn't see anything wrong, neither do any of my freebsd boxes report
> changes in the hardware address (as reported in a reply). Been running
> for six months without problems now. Perhaps the problem is provoked by
> the NAT - I do use aliasing on my boxes (more than one ip address per
> interface), and I do packet filtering, but I don't do NAT or masquerading
> of any sort. Or maybe the router *is* broken (: - is it possible to connect
> another machine to the internet side and see what it gets in its arp tables?
> Failing that, tcpdump your interfaces to see what arp packets are 
> doing (or use ethereal or whatever you like):
> to catch all arp packets (doing this FROM your multi-NIC server):
> 	 tcpdump -i eth0 'arp'
> and to filter them dow$n to just the ones that involve your interface as
> source or destination:
> 	 tcpdump -i eth0 'arp host 10.0.0.1'
> or
> 	 tcpdump -i eth0 'arp host interfacename'
> ought to show you the packets you are interested in. You could try deleting
> the arp entry and watching to see the info that gets passed.
> 
> hope that helps a little.
> 
> Simon
> 
> Simon A. Boggis 					Systems Programmer
> Department of Computer Science, 
> Queen Mary and Westfield College London, E1 4NS, UK. Telephone 0171 975 5234
>