Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ARP configuration parameters?

Does anyone know where I can find a good description of the configuration
parameters for ARP? I'll explain why in a moment, but the parameters I'm 
talking about are those described in /proc/sys/net/ipv4:

$ head /proc/sys/net/ipv4/*
==> /proc/sys/net/ipv4/arp_check_interval <==

==> /proc/sys/net/ipv4/arp_confirm_interval <==

==> /proc/sys/net/ipv4/arp_confirm_timeout <==

==> /proc/sys/net/ipv4/arp_dead_res_time <==

==> /proc/sys/net/ipv4/arp_max_tries <==

==> /proc/sys/net/ipv4/arp_res_time <==

==> /proc/sys/net/ipv4/arp_timeout <==

==> /proc/sys/net/ipv4/ip_dynaddr <==

==> /proc/sys/net/ipv4/ip_forward <==

The reason I'm wondering about these is that there seems to be an
awful lot of ARP traffic on my network. The network looks, at the
moment, like this:

MediaOne     <---> SonicWall  <---->  cheap  <--->  Linux box A
Cable modem        (firewall)          hub            ("salt")
                    ("sonic")           ^
                                NetGear FS508 10/100
                                   enet switch
                                 ^      ^      ^
                                 |      |      |
                  Linux box B <--+      |      +--> W98 (ugh) laptop
                  ("ginger")            v             ("cayenne")

I'm running tcpdump on "salt" (which is on the hub with the firewall
machine "sonic"). I see several bits of odd behavior:

1) Some machines appear to be sending non-broadcast ARP requests. For 
   instance, Here's a case where "salt" sent an ARP request specifically to
   "sonic" TO GET SONIC's ADDRESS!

   13:52:28.835598 0:40:5:50:99:13 0:e0:4f:23:78:0 arp 42: 
                   arp who-has tell
   13:52:28.835598 0:e0:4f:23:78:0 0:40:5:50:99:13 arp 60: 
                   arp reply is-at 0:e0:4f:23:78:0

2) Generally the SonicWall replied twice to each ARP request. I will
   send mail to Sonic to ask them about this; RFC826 (which describes 
   ARP) doesn't seem to suggest this behavior. Has anyone seen other
   systems do this?

3) I see a lot of ARP traffic (in particular these non-broadcast ARPs)
   about every 6 minutes. Unless the units are very strange (hundreths
   of a minute?) this doesn't seem to correspond to any of the tunable
   parameters in /proc.

Anyway, before I start grovelling source code, I figured I'd ask around
to see if there's a write-up on this stuff somewhere.

[I'm also curious as to whether any of this traffic might be generated
by the ethernet switch, which must maintain its own cache of which
MAC addresses are on which ports. But this is a pretty low-end switch,
so I doubt it's got much in the way of brains...]

-- Jerry Callen                      Mobile: 617-388-3990
   Narsil                            FAX:    617-876-5331
   63 Orchard Street                 email:  jcallen at
   Cambridge, MA 02140-1328

   PGP public keys available from
       DH/DSS key ID 0x1806252C: 7669 A4CD 759A 6EB7 AF04
                                 C10D B659 2A4B 1806 252C
       RSA    key ID 0x99F7AAE5: D265 DC9C 13FD 6110 
                                 30F5 1874 A206 24B1
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at (Subject line is ignored).

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /