Re: Strange arpwatch message
I suspect you have an IP address conflict, not a MAC conflict.
One ipaddr, two macs.
Why people think using the ISP list is appropriate for all networking
issues... that's another problem.
On Tue, Feb 22, 2005 at 06:46:02AM -0700, Scott Edwards wrote:
> > > On Mon, 21 Feb 2005 23:32:24 +0100, Omar Al-Siaghi <alsiaghi@mac.com>
> > > wrote:
> > >> Hello all,
> > >> We are running arpwatch on our server to monitor IP's and MAC
> > >> addresses. For the past day I have been having a strange problem. I
> > >> get this following message from syslog and daemon.log :
> > >> arpwatch: ethernet mismatch 82.150.37.41 0:3:93:d3:c5:6a
> > >> (0:a:cd:9:73:c) eth2
> > >>
> > >> While the first MAC address is my PBook's Mac address that I never
> > >> connected with this IP address, the second MAc address is a routers
> > >> MAC
> > >> address. And the problem is that the internet is not working thought
> > >> the router. Could arpwatch be causing this? While I don't see why, I
> > >> just can't figure out how did arpwatch get my Laptops MAC address and
> > >> associate it with this IP if I never connected with it?
> > >>
> > >> On the same problem, what could cause that I can't connect to the net
> > >> through the router? Everything was working fine, one day it decided
> > >> not to work?
> > >>
> > >> Thanks for the help in advance...
>
> > On Feb 22, 2005, at 1:20 PM, Scott Edwards wrote:
> >
> > > I've only seen this message when more then one nic is attempting to
> > > use the same ip address. This can also happen when one machine is
> > > using an arp takeover tool. The most common need for this is for
> > > sniffing (eg, dsniff). One last thing, is that ip the gateway?
> > >
> > > Thanks,
> > >
> > >
> > > Scott Edwards
> > > Daxal Communications - http://www.daxal.com
> > > Surf the USA - http://www.surfthe.us
>
> On Tue, 22 Feb 2005 02:22:35 +0100, Omar Al-Siaghi <alsiaghi@mac.com> wrote:
> > Hi,
> > The laptop is not on the same network, so it is not using the same IP
> > I am watching the syslog from a different network, and it's not the
> > gateway? did that help?
> >
> > Thanks,
>
> ok, so there are two problems.
>
> 1. arpwatch is generating strange syslog messages.
> 2. You're unable to route outside your network.
>
> On issue #1:
> arpwatch: ethernet mismatch 82.150.37.41 0:3:93:d3:c5:6a (0:a:cd:9:73:c) eth2
>
> AFAIK, that only happens when a machine claims or uses an IP that was
> in use before. Did the NIC change? Is it DHCP? Does this occur
> frequently?
>
> 00:03:93:d3:c5:6a is NIC's MAC address for your Powerbook.
> 00:0a:cd:09:73:0c is the MAC address of the router.
>
> As for the "I've never used my powerbook on that network" - I can't answer that.
>
> #2
> I'm lost, you'll have to elaborate on the network topology. What's
> the router IP suppose to be? Is the config sane? Did you loose power
> since it was working? What's changed? Can you ping the router IP
> (inside+outside)? Can you ping from the router (inside+outside)?
>
> How are you getting the syslog messages? I assume arpwatch is running
> on some machine on that other network (not local to you, or just not
> local to your segment? clearly not the same subnet!)
>
> Now look at us, we both assumed too much. I guess you know what that
> makes us. ;)
>
> Thanks,
>
>
>
> Scott Edwards
> Daxal Communications - http://www.daxal.com
> Surf the USA - http://www.surfthe.us
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
# Jesse Molina
# Mail = jesse@opendreams.net
# Page = page-jesse@opendreams.net
# Cell = 1.407.970.0280
# Web = http://www.opendreams.net/jesse/
Reply to: