| 1 |
lee <lee <at> yagibdah.de> writes: |
| 2 |
|
| 3 |
|
| 4 |
> >> They are wrong because there is no way for network traffic from the |
| 5 |
> >> devices on the LAN to make it to the interface enp2s0. Or, if they do |
| 6 |
> >> make it there, then there is something else seriously wrong. |
| 7 |
|
| 8 |
|
| 9 |
Absolutely. ARP has been around a very long time (rfc 826). There are |
| 10 |
thousands of code snippets out there that contain 'arp chatter'; many are |
| 11 |
benign, some are still useful, other are parts of sploits. *usually* after |
| 12 |
an extensive search, the source of the chatter is very sporadic and found in |
| 13 |
a product from a vendor. In the early days, many vendors used codes from a |
| 14 |
variety of sources to get their products to work with a variety of other |
| 15 |
devices that supported 'ethernet'. |
| 16 |
|
| 17 |
Unfortunately many companies put these codes into mal-form 'ip stacks' |
| 18 |
in products with embedded controllers. The turn over of corporate coding |
| 19 |
staff has resulted in many of the these code snippets remaining because 'the |
| 20 |
new guy' with full stack responsibility did not want to mess with parts of |
| 21 |
other folks codes. This situation varies widely and is a mild problem from |
| 22 |
big name gear (starts with a C) to the little vendors. |
| 23 |
|
| 24 |
As a consultant, it's a source of billable hours for those that can find the |
| 25 |
source (very common with industrial ethernet based control systems). |
| 26 |
It is an unmanaged irritant that mostly goes ignored from overworked coders |
| 27 |
at various vendor corps running their 'own ip stack'. |
| 28 |
|
| 29 |
And again your source(s) of nefarious arp issues many have no relationship |
| 30 |
at all to these 'arp quirks' I have characterised. |
| 31 |
|
| 32 |
> > tcpdump -i enp2s0 arp |
| 33 |
|
| 34 |
> > will tell you if the arps are being generated from something on the wire |
| 35 |
> > side. If there's not much traffic then clear the arp entry and ping |
| 36 |
> > the IP address to generate traffic. |
| 37 |
> Yes, I already tried that and didn't get any traffic listed. |
| 38 |
|
| 39 |
|
| 40 |
For me, it usually takes a while to find these 'buggers' as most are |
| 41 |
vendor vestibules in my experience. |
| 42 |
|
| 43 |
|
| 44 |
good hunting, |
| 45 |
James |
Archives