Re: arplookup 0.0.0.0 failed: host is not on local network
Jon Radel wrote: to see what you can catch. First of all, thanks for taking time to help me on this. [EMAIL PROTECTED] ~]# tcpdump -vvv -n -l -e arp tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes 08:58:46.337968 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:58:46.337974 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 08:59:46.842884 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:59:46.842890 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:00:47.349826 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:00:47.349833 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:01:47.854742 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:01:47.854748 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:02:48.359670 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:02:48.359677 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:03:48.864618 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:03:48.864624 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 09:04:49.370546 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 09:04:49.370551 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 There is this line saying: 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff and nothing has ff:ff:ff:ff:ff:ff as a mac address :) [EMAIL PROTECTED] ~]# tcpdump -vvv -n -l -e -s 128 arp or ip | grep 0.0.0.0 tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 128 bytes 09:10:51.405030 00:18:f3:29:d8:15 00:01:c0:03:7c:09, ethertype IPv4 (0x0800), length 66: (tos 0x10, ttl 64, id 58427, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (-6565)!) 192.168.0.3.22 62.97.242.6.61121: ., cksum 0xf139 (incorrect (- 0x5ca1), 13136:13136(0) ack 481 win 8320 nop,nop,timestamp 1359099282 347410448 09:11:42.703020 00:01:c0:03:7c:09 00:18:f3:29:d8:15, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 53, id 17642, offset 0, flags [DF], proto TCP (6), length 52) 82.137.33.24.35497 192.168.0.3.52332: ., cksum 0x7181 (correct), 938:938(0) ack 843885 win 65160 nop,nop,timestamp 4052665 1969055395 09:11:51.809030 00:01:c0:03:7c:09 00:18:f3:29:d8:15, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 53, id 19037, offset 0, flags [DF], proto TCP (6), length 52) 82.137.33.24.35497 192.168.0.3.52332: ., cksum 0x2a5b (correct), 1135:1135(0) ack 982794 win 65160 nop,nop,timestamp 4053576 1969064662 $ arp -a hugs.carebears.lan (192.168.0.1) at 00:01:c0:03:7c:09 on nfe0 [ethernet] shine (192.168.0.3) at 00:18:f3:29:d8:15 on nfe0 permanent [ethernet] funshine.carebears.lan (192.168.0.12) at 00:1d:60:36:34:a6 on nfe0 [ethernet] ? (192.168.0.255) at ff:ff:ff:ff:ff:ff on nfe0 permanent [ethernet] I'll take you tip on shutting down one machine at a time to see which machine who do this. Somehow I suspect my Windows 2008 Server box :) -- chs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
Christian Walther wrote: I don't want to point you into the wrong direction, but is it possible that this arp entry is actually a sign of an ARP spoofing attempt? http://en.wikipedia.org/wiki/ARP_spoofing I suspect that, but I just want to know if might be something else. Do you run a wireless network? Yes I do. And that means that I will also try to be even more pedantic in the security on that box. -- chs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
Christer Solskogen wrote: [EMAIL PROTECTED] ~]# tcpdump -vvv -n -l -e arp tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes 08:58:46.337968 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12 08:58:46.337974 00:18:f3:29:d8:15 00:1d:60:36:34:a6, ethertype ARP (0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15 ...snip... There is this line saying: 00:1d:60:36:34:a6 ff:ff:ff:ff:ff:ff and nothing has ff:ff:ff:ff:ff:ff as a mac address :) ff:ff:ff:ff:ff:ff is the broadcast address. That looks like a rather mundane arp request broadcast followed by a reply from the machine with the address in question. The trick will be to see if you see anything with tcpdump at the time one of the syslog messages about 0.0.0.0 gets logged. BTW, just for the record, personally I doubt this is anything serious to worry about, but as I have no real evidence for that feeling You may, however, find http://en.wikipedia.org/wiki/0.0.0.0 at least mildly interesting. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: arplookup 0.0.0.0 failed: host is not on local network
Derek Ragona wrote: Yes aliases should have a netmask of 255.255.255.255 Still no go. 192.168.0.255 is showing up in arp -a and netstat -rn. (and the arplookup 0.0.0.0 failed: host is not on local network in /var/log/messages) nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=18bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWCSUM,TSO4 ether 00:18:f3:29:d8:15 inet 192.168.0.3 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.4 netmask 0x broadcast 192.168.0.4 inet 192.168.0.5 netmask 0x broadcast 192.168.0.5 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active Anything else that might explain this kind of behavior? -- chs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
At 06:22 AM 5/14/2008, Christer Solskogen wrote: Derek Ragona wrote: Yes aliases should have a netmask of 255.255.255.255 Still no go. 192.168.0.255 is showing up in arp -a and netstat -rn. (and the arplookup 0.0.0.0 failed: host is not on local network in /var/log/messages) nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=18bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWCSUM,TSO4 ether 00:18:f3:29:d8:15 inet 192.168.0.3 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.4 netmask 0x broadcast 192.168.0.4 inet 192.168.0.5 netmask 0x broadcast 192.168.0.5 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active Anything else that might explain this kind of behavior? -- chs I would do a traceroute from all your hosts there. When you do keep an eye out for the arp error message. This should help find the host causing these errors and then look at that systems configuration. Also do you have more than one ethernet interface in the system showing the arp errors? If you do, make sure the interfaces are on different subnets. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
Derek Ragona wrote: I would do a traceroute from all your hosts there. When you do keep an eye out for the arp error message. This should help find the host causing these errors and then look at that systems configuration. Also do you have more than one ethernet interface in the system showing the arp errors? If you do, make sure the interfaces are on different subnets. traceroute dont show anything(no response). Only ping responds, and ping respodns with 192.168.0.1 - which is my router. My router on the other hand do not have this arp problem. Only the other machines. Every machine, except my router, have only one interface. (my router has two, butthey are on to different subnets) -- chs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
Christer Solskogen wrote: Derek Ragona wrote: I would do a traceroute from all your hosts there. When you do keep an eye out for the arp error message. This should help find the host causing these errors and then look at that systems configuration. Also do you have more than one ethernet interface in the system showing the arp errors? If you do, make sure the interfaces are on different subnets. traceroute dont show anything(no response). Only ping responds, and ping respodns with 192.168.0.1 - which is my router. My router on the other hand do not have this arp problem. Only the other machines. Every machine, except my router, have only one interface. (my router has two, butthey are on to different subnets) OK, this problem amused me enough to play around. Unfortunately, while I was able to, somehow, replicate the log entries on a FreeBSD 6.2 box, I don't know how, as it was a box that I wasn't using for my experiments (though on the same LAN segment as those I was using) and it was only the next day that I realized that it had taken offense at something I'd done. By then I'd forgotten what I'd tried in which order In any case, what I can tell you: On FreeBSD (various versions from 4.9 to 7.0) and MacOS X 10.4, ping 0.0.0.0 appears to be the equivalent of pinging the ipv4 default gateway (if you use tcpdump you can actually see the packets with a destination address of 0.0.0.0 go out and the replies come in). OpenBSD 4.2 and Windows XP basically tell you can't do such a foolish thing. I think this is a red herring. I doubt you have an interface with a 0.0.0.0 address. What I suspect you have is some software, somewhere on the same segment as the machine logging the complaints, that is triggering an ARP query for 0.0.0.0. If you really want to track this down, what I'd strongly urge you to start with is to, on a machine where the log entries happen, run the command tcpdump -vvv -n -l -e arp and see if you can catch ARP traffic mentioning 0.0.0.0. If you catch one, this will give you the MAC address of the source of the traffic. I would hope that this would help narrow it down. Meanwhile, I'll see if I can replicate this when I'm paying a bit more attention. :-) --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: arplookup 0.0.0.0 failed: host is not on local network
Jon Radel wrote: Christer Solskogen wrote: Derek Ragona wrote: I would do a traceroute from all your hosts there. When you do keep an eye out for the arp error message. This should help find the host causing these errors and then look at that systems configuration. Also do you have more than one ethernet interface in the system showing the arp errors? If you do, make sure the interfaces are on different subnets. traceroute dont show anything(no response). Only ping responds, and ping respodns with 192.168.0.1 - which is my router. My router on the other hand do not have this arp problem. Only the other machines. Every machine, except my router, have only one interface. (my router has two, butthey are on to different subnets) OK, this problem amused me enough to play around. Unfortunately, while I was able to, somehow, replicate the log entries on a FreeBSD 6.2 box, I don't know how, as it was a box that I wasn't using for my experiments (though on the same LAN segment as those I was using) and it was only the next day that I realized that it had taken offense at something I'd done. By then I'd forgotten what I'd tried in which order On FreeBSD 7.0 box on other side of OpenBSD 4.2 router did a arpdig 216.143.151.1/28 On FreeBSD 6.2 box tcpdump said: 22:45:06.707002 00:08:02:cc:b1:60 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 216.143.151.11 tell 0.0.0.0 22:45:06.707020 00:16:76:cf:e4:b3 00:08:02:cc:b1:60, ethertype ARP (0x0806), length 42: arp reply 216.143.151.11 is-at 00:16:76:cf:e4:b3 with resulting message in debug.log: May 14 22:45:06 left kernel: arplookup 0.0.0.0 failed: host is not on local netw ork May 14 22:45:07 left last message repeated 2 times So I'm actually going to update my hypothesis a bit; I suspect that any incoming packet that triggers an ARP lookup for 0.0.0.0 will result in this message. Try tcpdump -vvv -n -l -e -s 128 arp or ip | grep 0.0.0.0 to see what you can catch. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: arplookup 0.0.0.0 failed: host is not on local network
At 04:50 PM 5/14/2008, Christer Solskogen wrote: Derek Ragona wrote: I would do a traceroute from all your hosts there. When you do keep an eye out for the arp error message. This should help find the host causing these errors and then look at that systems configuration. Also do you have more than one ethernet interface in the system showing the arp errors? If you do, make sure the interfaces are on different subnets. traceroute dont show anything(no response). Only ping responds, and ping respodns with 192.168.0.1 - which is my router. My router on the other hand do not have this arp problem. Only the other machines. Every machine, except my router, have only one interface. (my router has two, butthey are on to different subnets) -- chs In your router are the interfaces bridged? These errors can come from a bridged interface where the packets are passed through those interfaces. Another test you might consider is unplugging each system from your lan to identify which one is causing the errors. Once you find the system causing the error the trick will be to find what on that system is generating the traffic. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
Derek Ragona wrote: Sounds like you have 0.0.0.0 configured on an ethernet interface. I would check all your systems, and be sure it isn't used. I checked, and there is no interface with that ip address. But thanks for the advice. OpenBSD box - where 0.0.0.0 is resolving to. rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:01:c0:03:7c:09 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::201:c0ff:fe03:7c09%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=18bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWCSUM,TSO4 ether 00:18:f3:29:d8:15 inet 192.168.0.3 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.4 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.5 netmask 0xff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active (I also have a Mac OX 10.5 which also resolves 0.0.0.0 to 192.168.0.1. But a windows machine do not resolve 0.0.0.0) -- chs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
Christer Solskogen wrote: Derek Ragona wrote: Sounds like you have 0.0.0.0 configured on an ethernet interface. I would check all your systems, and be sure it isn't used. I checked, and there is no interface with that ip address. But thanks for the advice. OpenBSD box - where 0.0.0.0 is resolving to. rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:01:c0:03:7c:09 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::201:c0ff:fe03:7c09%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=18bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWCSUM,TSO4 ether 00:18:f3:29:d8:15 inet 192.168.0.3 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.4 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.5 netmask 0xff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active (I also have a Mac OX 10.5 which also resolves 0.0.0.0 to 192.168.0.1. But a windows machine do not resolve 0.0.0.0) Gah, my bad. the nfe0 interface are not on OpenBSD, but on my FreeBSD box (where this arp-messages shows up) -- chs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
At 12:55 PM 5/12/2008, Christer Solskogen wrote: Christer Solskogen wrote: Derek Ragona wrote: Sounds like you have 0.0.0.0 configured on an ethernet interface. I would check all your systems, and be sure it isn't used. I checked, and there is no interface with that ip address. But thanks for the advice. OpenBSD box - where 0.0.0.0 is resolving to. rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:01:c0:03:7c:09 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::201:c0ff:fe03:7c09%rl0 prefixlen 64 scopeid 0x1 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=18bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWCSUM,TSO4 ether 00:18:f3:29:d8:15 inet 192.168.0.3 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.4 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.5 netmask 0xff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active (I also have a Mac OX 10.5 which also resolves 0.0.0.0 to 192.168.0.1. But a windows machine do not resolve 0.0.0.0) Gah, my bad. the nfe0 interface are not on OpenBSD, but on my FreeBSD box (where this arp-messages shows up) You may want to do traceroutes from the systems that do find the 0.0.0.0 interface. I would bet you have a default route and/or netmask sending the traffic. You will get those arp messages if you run two different interfaces on the same system, on the same subnet (not to be confused with running multiple IP's on an interface.) Arp tries to tie an IP address to a machine address, but if the reverse routing isn't correct you will see these error messages. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
Derek Ragona wrote: You may want to do traceroutes from the systems that do find the 0.0.0.0 interface. I would bet you have a default route and/or netmask sending the traffic. You will get those arp messages if you run two different interfaces on the same system, on the same subnet (not to be confused with running multiple IP's on an interface.) Arp tries to tie an IP address to a machine address, but if the reverse routing isn't correct you will see these error messages. A tip from George Davidovich setting the aliases to use netmask to 0x seems to fix the problem. -- chs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
At 03:44 PM 5/12/2008, Christer Solskogen wrote: Derek Ragona wrote: You may want to do traceroutes from the systems that do find the 0.0.0.0 interface. I would bet you have a default route and/or netmask sending the traffic. You will get those arp messages if you run two different interfaces on the same system, on the same subnet (not to be confused with running multiple IP's on an interface.) Arp tries to tie an IP address to a machine address, but if the reverse routing isn't correct you will see these error messages. A tip from George Davidovich setting the aliases to use netmask to 0x seems to fix the problem. -- chs Yes aliases should have a netmask of 255.255.255.255 -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0 failed: host is not on local network
At 03:39 PM 5/11/2008, Christer Solskogen wrote: Hi! I have been seeing a lot of warnings in syslog the last week. Do anyone have a tip for where to begin searching for the sinner? arplookup 0.0.0.0 failed: host is not on local network arplookup 0.0.0.0 failed: host is not on local network arplookup 0.0.0.0 failed: host is not on local network arplookup 0.0.0.0 failed: host is not on local network pinging 0.0.0.0 gives me reply from 192.168.0.1 which is my OpenBSD router. The warnings shows up on my FreeBSD server. Nothing on the OpenBSD box. $ uname -a FreeBSD shine.carebears.lan 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Thu Feb 28 07:58:17 CET 2008 [EMAIL PROTECTED]:/files2/build/usr/src/sys/SHINE amd64 -- chs Sounds like you have 0.0.0.0 configured on an ethernet interface. I would check all your systems, and be sure it isn't used. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: arplookup 0.0.0.0
On Tue, Feb 04, 2003 at 08:15:04AM +0100, Roman Neuhauser wrote: # [EMAIL PROTECTED] / 2003-02-01 18:55:23 -0800: On Sat, Feb 01, 2003 at 05:20:53PM -0500, Stephen D. Kingrea wrote: tcpdump tells me that incoming smtp requests are generating these messages at the same time as recieving mail. i am pretty sure that either sendmail or ipfw rules is the cause... any good tutorials out there on interpreting tcpdump output? stephen If you have X installed, you could use ethereal (/usr/ports/net/ethereal)it is a very nice graphical interface for analyzing network traffice. I think it uses tcpdump itself?? you can use ethereal without X. You are probably refering to `tethereal`. I am talking about `ethereal` - the GUI. They are two different binaries. The first sentence of the ethereal man page says: Ethereal is a GUI network protocol analyzer. At any rate, my point in suggesting ethereal was to offer up an alternative to the text based tcpdump, in the hope that it might be easier to analyze the data, not simply to offer up another text based utility. In a broad sense you are correct in that tethereal is installed along with ethereal, in a technical sense you are wrong. Nathan -- GPG Public Key ID: 0x4250A04C gpg --keyserver pgp.mit.edu --recv-keys 4250A04C http://63.105.21.156/gpg_nkinkade_4250A04C.asc msg17924/pgp0.pgp Description: PGP signature
solved: Re: arplookup 0.0.0.0
turns out that the file /etc/mail/local-host-names was not properly configured. damn! it is so galling when one misses the simplest things! stephen On Sat, 1 Feb 2003, Nathan Kinkade wrote: On Sat, Feb 01, 2003 at 05:20:53PM -0500, Stephen D. Kingrea wrote: tcpdump tells me that incoming smtp requests are generating these messages at the same time as recieving mail. i am pretty sure that either sendmail or ipfw rules is the cause... any good tutorials out there on interpreting tcpdump output? stephen If you have X installed, you could use ethereal (/usr/ports/net/ethereal)it is a very nice graphical interface for analyzing network traffice. I think it uses tcpdump itself?? Nathan -- GPG Public Key ID: 0x4250A04C gpg --keyserver pgp.mit.edu --recv-keys 4250A04C http://63.105.21.156/gpg_nkinkade_4250A04C.asc To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: arplookup 0.0.0.0
# [EMAIL PROTECTED] / 2003-02-01 18:55:23 -0800: On Sat, Feb 01, 2003 at 05:20:53PM -0500, Stephen D. Kingrea wrote: tcpdump tells me that incoming smtp requests are generating these messages at the same time as recieving mail. i am pretty sure that either sendmail or ipfw rules is the cause... any good tutorials out there on interpreting tcpdump output? stephen If you have X installed, you could use ethereal (/usr/ports/net/ethereal)it is a very nice graphical interface for analyzing network traffice. I think it uses tcpdump itself?? you can use ethereal without X. -- If you cc me or remove the list(s) completely I'll most likely ignore your message.see http://www.eyrie.org./~eagle/faqs/questions.html To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: arplookup 0.0.0.0
tcpdump tells me that incoming smtp requests are generating these messages at the same time as recieving mail. i am pretty sure that either sendmail or ipfw rules is the cause... any good tutorials out there on interpreting tcpdump output? stephen On Fri, 31 Jan 2003, Juris Krumins wrote: Could be sendmail. But I would try first of all to figure out who are soucre of the arp request. Suppose we are talking about LAN or something like that. So try to find out the soucre of the request. Could be the same box, but I think it's not. So use sniffers like tcpdump or something like that. Just take a look at your logs to figure out the frequency of requests. So then you will figure out the source. unfortunately I'm not sendmail expert not even close. - Original Message - From: Stephen D. Kingrea [EMAIL PROTECTED] To: Juris Krumins [EMAIL PROTECTED] Sent: Friday, January 31, 2003 4:26 PM Subject: Re: arplookup 0.0.0.0 is there a way to suppress the message itself? i seem to be getting it quite often, and really just started after configuring and activating sendmail. i suspect that there is a possible misconfiguration involving sendmail itself, but mail seems to be flowing nicely stephen d. kingrea On Fri, 31 Jan 2003, Juris Krumins wrote: There's no such a term like default in arp table, like it is in routing tables. There's nothing you have to add. I think it was just a query which was sent to your machine. So your box didn't find anything about that in local his local arp table. That's why you got the answer like : www /kernel: arplookup 0.0.0.0 failed: host is not on local network mean that your box knows nothing about how to convert 0.0.0.0 IP adress into MAC adress. - Original Message - From: Stephen D. Kingrea [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 31, 2003 4:07 PM Subject: arplookup 0.0.0.0 hope one of youse can help with this... i am suddenly and inexplicably getting the message: www /kernel: arpresolve: can't allocate llinfo for 0.0.0.0rt www /kernel: arplookup 0.0.0.0 failed: host is not on local network nothing seems affected, that is to say that everything works as advertised. do i need to add default to my arp tables? running 4.7, apache2, ipfw/natd, as gateway to 3 internal networked nodes. what other info do i need to share? thank you! stephen d. kingrea To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: arplookup 0.0.0.0
On Sat, Feb 01, 2003 at 05:20:53PM -0500, Stephen D. Kingrea wrote: tcpdump tells me that incoming smtp requests are generating these messages at the same time as recieving mail. i am pretty sure that either sendmail or ipfw rules is the cause... any good tutorials out there on interpreting tcpdump output? stephen If you have X installed, you could use ethereal (/usr/ports/net/ethereal)it is a very nice graphical interface for analyzing network traffice. I think it uses tcpdump itself?? Nathan -- GPG Public Key ID: 0x4250A04C gpg --keyserver pgp.mit.edu --recv-keys 4250A04C http://63.105.21.156/gpg_nkinkade_4250A04C.asc msg17551/pgp0.pgp Description: PGP signature