 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Does anyone know where I can find a good description of the configuration
parameters for ARP? I'll explain why in a moment, but the parameters I'm
talking about are those described in /proc/sys/net/ipv4:
$ head /proc/sys/net/ipv4/*
==> /proc/sys/net/ipv4/arp_check_interval <==
6000
==> /proc/sys/net/ipv4/arp_confirm_interval <==
30000
==> /proc/sys/net/ipv4/arp_confirm_timeout <==
500
==> /proc/sys/net/ipv4/arp_dead_res_time <==
6000
==> /proc/sys/net/ipv4/arp_max_tries <==
3
==> /proc/sys/net/ipv4/arp_res_time <==
500
==> /proc/sys/net/ipv4/arp_timeout <==
6000
==> /proc/sys/net/ipv4/ip_dynaddr <==
0
==> /proc/sys/net/ipv4/ip_forward <==
0
The reason I'm wondering about these is that there seems to be an
awful lot of ARP traffic on my network. The network looks, at the
moment, like this:
MediaOne <---> SonicWall <----> cheap <---> Linux box A
Cable modem (firewall) hub ("salt")
("sonic") ^
|
|
v
NetGear FS508 10/100
enet switch
^ ^ ^
| | |
Linux box B <--+ | +--> W98 (ugh) laptop
("ginger") v ("cayenne")
Macintosh
("cinnamon")
I'm running tcpdump on "salt" (which is on the hub with the firewall
machine "sonic"). I see several bits of odd behavior:
1) Some machines appear to be sending non-broadcast ARP requests. For
instance, Here's a case where "salt" sent an ARP request specifically to
"sonic" TO GET SONIC's ADDRESS!
13:52:28.835598 0:40:5:50:99:13 0:e0:4f:23:78:0 arp 42:
arp who-has sonic.narsil.com tell salt.narsil.com
13:52:28.835598 0:e0:4f:23:78:0 0:40:5:50:99:13 arp 60:
arp reply sonic.narsil.com is-at 0:e0:4f:23:78:0
2) Generally the SonicWall replied twice to each ARP request. I will
send mail to Sonic to ask them about this; RFC826 (which describes
ARP) doesn't seem to suggest this behavior. Has anyone seen other
systems do this?
3) I see a lot of ARP traffic (in particular these non-broadcast ARPs)
about every 6 minutes. Unless the units are very strange (hundreths
of a minute?) this doesn't seem to correspond to any of the tunable
parameters in /proc.
Anyway, before I start grovelling source code, I figured I'd ask around
to see if there's a write-up on this stuff somewhere.
[I'm also curious as to whether any of this traffic might be generated
by the ethernet switch, which must maintain its own cache of which
MAC addresses are on which ports. But this is a pretty low-end switch,
so I doubt it's got much in the way of brains...]
-- Jerry Callen Mobile: 617-388-3990
Narsil FAX: 617-876-5331
63 Orchard Street email: jcallen at narsil.com
Cambridge, MA 02140-1328
PGP public keys available from http://pgp.ai.mit.edu
fingerprints:
DH/DSS key ID 0x1806252C: 7669 A4CD 759A 6EB7 AF04
C10D B659 2A4B 1806 252C
RSA key ID 0x99F7AAE5: D265 DC9C 13FD 6110
30F5 1874 A206 24B1
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
