help! arpwatch flip flop

help! arpwatch flip flop

Post by nsi.. » Thu, 28 Oct 1999 04:00:00



i'm trying to set up a linux box on a primarily winnt network.
everything was running fine but then i suddenly lost my network
connectivity. i could ping every machine on our internal network except
for our internet gateway (which happens to be running rh-6.0) and,
obviously, any machine on the other side of the gateway.

so i turned on arpwatch on my machine and observed the following
curious spew (let me prefix the spew - the gateway has exactly two 3Com
cards in it - I don't know the details because I don't have access):



Subject: flip flop
Status: RO

            hostname: <unknown>
          ip address: 10.0.0.1
    ethernet address: 0:60:8c:c9:c:73
     ethernet vendor: 3Com (1990 onwards)
old ethernet address: 0:40:c7:29:ee:d2
 old ethernet vendor: Danpex Corporation
...
               delta: 52 seconds

...


Subject: flip flop
Status: RO

            hostname: <unknown>
          ip address: 10.0.0.1
    ethernet address: 0:40:c7:29:ee:d2
     ethernet vendor: Danpex Corporation
old ethernet address: 0:60:8c:c9:c:73
 old ethernet vendor: 3Com (1990 onwards)
...
               delta: 0 seconds

this flip flop has filled my mbox with 100's of messages just like the
above (the only thing that changes is the delta which seems to be
fairly random). the most curious bit about the above messages is that
there is no Danpex Corporation nic card in the box, afaik.

someone please help. thanks in advance.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

1. is promuscuous mode a sort of flip-flop?

I have a linux box running snort, and yesterday I run tcpdump (on the
same machine) for tracking some connections in my network.
But there were no output for the tcpdump. Then I stopped it, but this
make the eth0 left the promiscuous mode, and then the snort did not
worked anymore.
After looking at the syslog I founded that the tcpdump make the eth0
left the promiscuous mode.
I restarted the snort, but when the snort stopped instead of making
the eth0 left the promiscuous mode, it made the device enter into it
when stopping, and left it ath the start!
(since my english is very monkey like, I'll try to draw the picture :)

# ./snort.sh start
syslog: kernel: device eth0 entered promiscuous mode# tcpdump <....>
^C
syslog: kernel: device eth0 left promiscuous mode
<snort captures nothing>
# ./snort.sh stop
syslog: kernel: device eth0 entered promiscuous mode
# ./snort.sh start
syslog: kernel: device eth0 left promiscuous mode

(snort.sh is a little bash script I made for stopping and starting
snort)
an so on, everytime I stopped or started the program
What is going on here?
Is this a flip-flop behaviour or what?

I use:

snort-1.8.1p
tcpdump version 3.4
libpcap version 0.4kernel 2.4.3
glibc-2.2.2-10

2. Test Message please ignore..

3. Character Set flip-flop woes

4. mounting partition

5. arpwatch help needed

6. v1.4.5 of the slang programmer's library released

7. help with arpwatch

8. Strange Name-Based Virtual Host problem with Apache 1.3.23 on Linux

9. sawfish dead but gnome keeps flopping around - need help!

10. Help Lilo -flop

11. temporarily blocking an IP: dhcp users & arpwatch

12. Arpwatch: how to interpret data?

13. arpwatch -> reboot