Hi. Since last we have four MAC addresses in the ARP table of a server that should not be there:
$ ip route default via XXX.XXX.98.254 dev eth0 onlink XXX.XXX.96.0/22 dev eth0 proto kernel scope link src XXX.XXX.98.94 But: $ ip neigh | grep -v 'XXX.XXX.9[6789]' XXX.XXX.103.161 dev eth0 lladdr YY:YY:YY:YY:YY:YY<STALE XXX.XXX.103.189 dev eth0 lladdr YY:YY:YY:YY:YY:YY STALE XXX.XXX.100.76 dev eth0 lladdr ZZ:ZZ:ZZ:ZZ:ZZ:ZZ STALE XXX.XXX.100.86 dev eth0 lladdr ZZ:ZZ:ZZ:ZZ:ZZ:ZZ STALE $ arp -a | grep -v 'XXX.XXX.9[6789]' ? (XXX.XXX.103.161) at YY:YY:YY:YY:YY:YY [ether] on eth0 ? (XXX.XXX.103.189) at YY:YY:YY:YY:YY:YY [ether] on eth0 XXXX.XX.XXX.XX (XXX.XXX.100.76) at ZZ:ZZ:ZZ:ZZ:ZZ:ZZ [ether] on eth0 XXXX.XX.XXX.XX (XXX.XXX.100.86) at ZZ:ZZ:ZZ:ZZ:ZZ:ZZ [ether] on eth0 As you can see, the server is on the …96.0/22 subnet, i.e. …96-…99, but it sees MAC addresses on the 100 and 103 networks. I ran tcpdump for some time and saw no ARP packet with these addresses. And they will not go away by themselves like the rest of the ARP tables. Does anybody have an inkling about why a Linux kernel would register neighbors like that? Regards, -- Nicolas George
