Witam grupowiczów Od pewnego czasu pojawia mi się bardzo dziwny ruch w sieci lokalnej. Głównie rozpoznać go można po tym że niektórym użytkownikom nagle komunikacja spada do zera, pingi działają raz na 1000, i przestaje oczywiscie chodzić internet... W logach zostaje mi bardzo dużo wpisów o zmieniających sie arpach ( kawałek sysloga na koncu wiadomosci). Udało mi się podczas takiej sytuacji zrzucić też do pliku wynik tcpdump-a - ewentualnie równie moge podesłac.
Spotkał się ktoś z takim dziwadłem?? Jak napisałem wcześniej dla zainteresowanych dostępny też tcpdump... Dodam jeszcze ze po kilku minutach / godzinach czasem wszystko wraca do normy... Niestety serwer obsluguje zdalnie i niemam pojęcia jak to ugryść... Wycinek sysloga (dla porządku - podsiec 10.0.37.0/24, serwer 10.0.37.1 - niagara.priv): May 29 21:11:26 niagara arpwatch: changed ethernet address 10.0.37.2 2e:27:71:56:7d:7a (0:30:4f:11:a9:6) eth1 May 29 21:11:30 niagara arpwatch: changed ethernet address 10.0.37.16 2e:50:8:4e:1e:37 (0:30:4f:26:cc:9) eth1 May 29 21:11:30 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:50:8:4e:1e:37) eth1 May 29 21:11:31 niagara arpwatch: changed ethernet address 10.0.37.16 2e:7a:4e:2c:46:47 (0:30:4f:26:cc:9) eth1 May 29 21:11:31 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:7a:4e:2c:46:47) eth1 May 29 21:11:32 niagara arpwatch: changed ethernet address 10.0.37.16 2e:23:13:a:6f:56 (0:30:4f:26:cc:9) eth1 May 29 21:11:32 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:23:13:a:6f:56) eth1 May 29 21:11:33 niagara arpwatch: changed ethernet address 10.0.37.16 2e:4e:59:68:17:66 (0:30:4f:26:cc:9) eth1 May 29 21:11:33 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:4e:59:68:17:66) eth1 May 29 21:11:34 niagara arpwatch: changed ethernet address 10.0.37.16 2e:78:1f:46:3f:75 (0:30:4f:26:cc:9) eth1 May 29 21:11:34 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:78:1f:46:3f:75) eth1 May 29 21:11:35 niagara arpwatch: changed ethernet address 10.0.37.16 2e:21:65:24:67:4 (0:30:4f:26:cc:9) eth1 May 29 21:11:35 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:21:65:24:67:4) eth1 May 29 21:11:36 niagara arpwatch: changed ethernet address 10.0.37.28 2e:4b:2b:2:f:13 (0:2:44:7c:14:f9) eth1 May 29 21:11:36 niagara arpwatch: changed ethernet address 10.0.37.16 2e:4b:2b:2:f:13 (0:30:4f:26:cc:9) eth1 May 29 21:11:36 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:4b:2b:2:f:13) eth1 May 29 21:11:37 niagara arpwatch: changed ethernet address 10.0.37.16 2e:76:71:60:38:23 (0:30:4f:26:cc:9) eth1 May 29 21:11:37 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:76:71:60:38:23) eth1 May 29 21:11:38 niagara arpwatch: changed ethernet address 10.0.37.28 2e:76:71:60:38:23 (2e:4b:2b:2:f:13) eth1 May 29 21:11:38 niagara arpwatch: changed ethernet address 10.0.37.25 2e:76:71:60:38:23 (0:2:44:8b:d8:dd) eth1 May 29 21:11:38 niagara arpwatch: changed ethernet address 10.0.37.16 2e:1f:36:3e:60:32 (0:30:4f:26:cc:9) eth1 May 29 21:11:38 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:1f:36:3e:60:32) eth1 May 29 21:11:39 niagara named[2036]: refused query on non-query socket from [87.16.180.213].4672 May 29 21:11:39 niagara arpwatch: changed ethernet address 10.0.37.16 2e:49:7c:1c:8:42 (0:30:4f:26:cc:9) eth1 May 29 21:11:39 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:49:7c:1c:8:42) eth1 May 29 21:11:40 niagara arpwatch: changed ethernet address 10.0.37.28 2e:49:7c:1c:8:42 (2e:76:71:60:38:23) eth1 May 29 21:11:40 niagara arpwatch: changed ethernet address 10.0.37.25 2e:49:7c:1c:8:42 (2e:76:71:60:38:23) eth1 May 29 21:11:40 niagara arpwatch: changed ethernet address 10.0.37.20 2e:49:7c:1c:8:42 (0:11:9:5f:f:a4) eth1 May 29 21:11:40 niagara arpwatch: changed ethernet address 10.0.37.16 2e:74:42:7a:31:51 (0:30:4f:26:cc:9) eth1 May 29 21:11:40 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:74:42:7a:31:51) eth1 May 29 21:11:41 niagara arpwatch: changed ethernet address 10.0.37.16 2e:1d:7:58:59:60 (0:30:4f:26:cc:9) eth1 May 29 21:11:41 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:1d:7:58:59:60) eth1 May 29 21:11:41 niagara arpwatch: changed ethernet address 10.0.37.16 2e:1d:7:58:59:60 (0:30:4f:26:cc:9) eth1 May 29 21:11:41 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:1d:7:58:59:60) eth1 May 29 21:11:42 niagara arpwatch: changed ethernet address 10.0.37.16 2e:47:4d:36:1:70 (0:30:4f:26:cc:9) eth1 May 29 21:11:42 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:47:4d:36:1:70) eth1 May 29 21:11:42 niagara named[2036]: refused query on non-query socket from [121.230.158.173].6657 May 29 21:11:43 niagara arpwatch: changed ethernet address 10.0.37.16 2e:72:13:14:2a:7f (0:30:4f:26:cc:9) eth1 May 29 21:11:43 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:72:13:14:2a:7f) eth1 May 29 21:11:44 niagara arpwatch: changed ethernet address 10.0.37.16 2e:1b:59:72:52:e (0:30:4f:26:cc:9) eth1 May 29 21:11:44 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:1b:59:72:52:e) eth1 May 29 21:11:45 niagara arpwatch: changed ethernet address 10.0.37.16 2e:45:1f:50:7a:1d (0:30:4f:26:cc:9) eth1 May 29 21:11:45 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:45:1f:50:7a:1d) eth1 May 29 21:11:46 niagara arpwatch: changed ethernet address 10.0.37.16 2e:6f:65:2e:22:2d (0:30:4f:26:cc:9) eth1 May 29 21:11:46 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:6f:65:2e:22:2d) eth1 May 29 21:11:47 niagara arpwatch: changed ethernet address 10.0.37.16 2e:19:2a:c:4b:3c (0:30:4f:26:cc:9) eth1 May 29 21:11:47 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:19:2a:c:4b:3c) eth1 May 29 21:11:48 niagara arpwatch: changed ethernet address 10.0.37.16 2e:43:70:6a:73:4c (0:30:4f:26:cc:9) eth1 May 29 21:11:48 niagara arpwatch: flip flop 10.0.37.16 0:30:4f:26:cc:9 (2e:43:70:6a:73:4c) eth1 May 29 21:12:00 niagara arpwatch: changed ethernet address 10.0.37.2 2e:3b:35:52:57:3 (2e:27:71:56:7d:7a) eth1 May 29 21:12:00 niagara arpwatch: reused old ethernet address 10.0.37.28 0:2:44:7c:14:f9 (2e:49:7c:1c:8:42) eth1 May 29 21:12:02 niagara dhcpd: DHCPREQUEST for 10.0.37.10 from 00:c0:9f:19:24:03 via eth1 May 29 21:12:02 niagara dhcpd: DHCPACK on 10.0.37.10 to 00:c0:9f:19:24:03 via eth1 May 29 21:12:03 niagara arpwatch: changed ethernet address 10.0.37.16 2e:f:41:e:27:22 (0:30:4f:26:cc:9) eth1 May 29 21:12:04 niagara arpwatch: changed ethernet address 10.0.37.7 2f:63:4d:4a:78:41 (0:30:4f:11:a0:40) eth1 May 29 21:12:04 niagara arpwatch: flip flop 10.0.37.7 0:30:4f:11:a0:40 (2f:63:4d:4a:78:41) eth1 May 29 21:12:05 niagara arpwatch: changed ethernet address 10.0.37.7 2f:d:12:28:20:50 (0:30:4f:11:a0:40) eth1 May 29 21:12:05 niagara arpwatch: flip flop 10.0.37.7 0:30:4f:11:a0:40 (2f:d:12:28:20:50) eth1 May 29 21:12:05 niagara arpwatch: changed ethernet address 10.0.37.6 2f:d:12:28:20:50 (0:30:4f:11:a5:1e) eth1 May 29 21:12:05 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:05 niagara arpwatch: flip flop 10.0.37.6 0:30:4f:11:a5:1e (2f:d:12:28:20:50) eth1 May 29 21:12:06 niagara arpwatch: changed ethernet address 10.0.37.7 2f:37:58:6:48:60 (0:30:4f:11:a0:40) eth1 May 29 21:12:06 niagara arpwatch: flip flop 10.0.37.7 0:30:4f:11:a0:40 (2f:37:58:6:48:60) eth1 May 29 21:12:06 niagara arpwatch: changed ethernet address 10.0.37.6 2f:37:58:6:48:60 (0:30:4f:11:a5:1e) eth1 May 29 21:12:07 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:07 niagara arpwatch: flip flop 10.0.37.6 0:30:4f:11:a5:1e (2f:37:58:6:48:60) eth1 May 29 21:12:07 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:07 niagara arpwatch: changed ethernet address 10.0.37.15 2f:37:58:6:48:60 (0:50:ba:b1:f0:5f) eth1 May 29 21:12:09 niagara named[2036]: refused query on non-query socket from [190.51.139.68].4672 May 29 21:12:09 niagara arpwatch: changed ethernet address 10.0.37.7 2f:35:29:20:41:d (0:30:4f:11:a0:40) eth1 May 29 21:12:09 niagara arpwatch: flip flop 10.0.37.7 0:30:4f:11:a0:40 (2f:35:29:20:41:d) eth1 May 29 21:12:09 niagara arpwatch: changed ethernet address 10.0.37.6 2f:35:29:20:41:d (0:30:4f:11:a5:1e) eth1 May 29 21:12:09 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:09 niagara arpwatch: changed ethernet address 10.0.37.13 2f:35:29:20:41:d (0:30:4f:19:86:cf) eth1 May 29 21:12:09 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:09 niagara arpwatch: flip flop 10.0.37.13 0:30:4f:19:86:cf (2f:35:29:20:41:d) eth1 May 29 21:12:09 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:09 niagara arpwatch: changed ethernet address 10.0.37.15 2f:35:29:20:41:d (2f:37:58:6:48:60) eth1 May 29 21:12:09 niagara arpwatch: reused old ethernet address 10.0.37.15 0:50:ba:b1:f0:5f (2f:35:29:20:41:d) eth1 May 29 21:12:09 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:09 niagara arpwatch: flip flop 10.0.37.6 0:30:4f:11:a5:1e (2f:35:29:20:41:d) eth1 May 29 21:12:10 niagara arpwatch: reused old ethernet address 10.0.37.25 0:2:44:8b:d8:dd (2e:49:7c:1c:8:42) eth1 May 29 21:12:10 niagara arpwatch: changed ethernet address 10.0.37.25 2f:5f:6f:7e:6a:1d (0:2:44:8b:d8:dd) eth1 May 29 21:12:10 niagara arpwatch: changed ethernet address 10.0.37.7 2f:5f:6f:7e:6a:1d (0:30:4f:11:a0:40) eth1 May 29 21:12:10 niagara arpwatch: flip flop 10.0.37.7 0:30:4f:11:a0:40 (2f:5f:6f:7e:6a:1d) eth1 May 29 21:12:10 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:10 niagara arpwatch: changed ethernet address 10.0.37.6 2f:5f:6f:7e:6a:1d (0:30:4f:11:a5:1e) eth1 May 29 21:12:10 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:10 niagara arpwatch: changed ethernet address 10.0.37.13 2f:5f:6f:7e:6a:1d (0:30:4f:19:86:cf) eth1 May 29 21:12:10 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:10 niagara arpwatch: flip flop 10.0.37.13 0:30:4f:19:86:cf (2f:5f:6f:7e:6a:1d) eth1 May 29 21:12:10 niagara arpwatch: report: pausing (cdepth 3) May 29 21:12:10 niagara arpwatch: changed ethernet address 10.0.37.15 2f:5f:6f:7e:6a:1d (0:50:ba:b1:f0:5f) eth1
