Re: Strange arpwatch message

To: debian-isp@lists.debian.org
Subject: Re: Strange arpwatch message
From: Scott Edwards <supadupa@gmail.com>
Date: Tue, 22 Feb 2005 06:46:02 -0700
Message-id: <[🔎] a53adc460502220546181a165c@mail.gmail.com>
Reply-to: Scott Edwards <supadupa@gmail.com>
In-reply-to: <8199be6c298eb216acc27a8c36e98cf6@mac.com>
References: <[🔎] 2ecc63cf4068dbb91b439e8edad754b9@mac.com> <a53adc4605022204207314df90@mail.gmail.com> <8199be6c298eb216acc27a8c36e98cf6@mac.com>

> > On Mon, 21 Feb 2005 23:32:24 +0100, Omar Al-Siaghi <alsiaghi@mac.com>
> > wrote:
> >> Hello all,
> >>    We are running arpwatch on our server to monitor IP's and MAC
> >> addresses.  For the past day I have been having a strange problem.  I
> >> get this following message from syslog and daemon.log :
> >> arpwatch: ethernet mismatch 82.150.37.41 0:3:93:d3:c5:6a
> >> (0:a:cd:9:73:c) eth2
> >>
> >> While the first MAC address is my PBook's Mac address that I never
> >> connected with this IP address, the second MAc address is a routers
> >> MAC
> >> address.  And the problem is that the internet is not working thought
> >> the router.  Could arpwatch be causing this?  While I don't see why, I
> >> just can't figure out how did arpwatch get my Laptops MAC address and
> >> associate it with this IP if I never connected with it?
> >>
> >> On the same problem, what could cause that I can't connect to the net
> >> through the router?   Everything was working fine, one day it decided
> >> not to work?
> >>
> >> Thanks for the help in advance...

> On Feb 22, 2005, at 1:20 PM, Scott Edwards wrote:
> 
> > I've only seen this message when more then one nic is attempting to
> > use the same ip address.  This can also happen when one machine is
> > using an arp takeover tool.  The most common need for this is for
> > sniffing (eg, dsniff).  One last thing, is that ip the gateway?
> >
> > Thanks,
> >
> >
> > Scott Edwards
> > Daxal Communications - http://www.daxal.com
> > Surf the USA - http://www.surfthe.us

On Tue, 22 Feb 2005 02:22:35 +0100, Omar Al-Siaghi <alsiaghi@mac.com> wrote:
> Hi,
>    The laptop is not on the same network, so it is not using the same IP
> I am watching the syslog from a different network, and it's not the
> gateway?  did that help?
> 
> Thanks,

ok, so there are two problems.

1. arpwatch is generating strange syslog messages.
2. You're unable to route outside your network.

On issue #1:
arpwatch: ethernet mismatch 82.150.37.41 0:3:93:d3:c5:6a (0:a:cd:9:73:c) eth2

AFAIK, that only happens when a machine claims or uses an IP that was
in use before.  Did the NIC change?  Is it DHCP?  Does this occur
frequently?

00:03:93:d3:c5:6a is NIC's MAC address for your Powerbook.
00:0a:cd:09:73:0c is the MAC address of the router.

As for the "I've never used my powerbook on that network" - I can't answer that.

#2
I'm lost, you'll have to elaborate on the network topology.  What's
the router IP suppose to be? Is the config sane?  Did you loose power
since it was working?  What's changed?  Can you ping the router IP
(inside+outside)?  Can you ping from the router (inside+outside)?

How are you getting the syslog messages?  I assume arpwatch is running
on some machine on that other network (not local to you, or just not
local to your segment? clearly not the same subnet!)

Now look at us, we both assumed too much.  I guess you know what that
makes us. ;)

Thanks,

Scott Edwards
Daxal Communications - http://www.daxal.com
Surf the USA - http://www.surfthe.us

Reply to:

Follow-Ups:
- Re: Strange arpwatch message
  - From: Jesse Molina <jesse@opendreams.net>

References:
- Strange arpwatch message
  - From: Omar Al-Siaghi <alsiaghi@mac.com>

Prev by Date: unsubscribe
Next by Date: Re: OT: Weird routing issues
Previous by thread: Strange arpwatch message
Next by thread: Re: Strange arpwatch message
Index(es):
- Date
- Thread