[Gllug] Weird networking problem with 2.6 kernel
Bruce Richardson
itsbruce at uklinux.net
Sun Jun 20 15:00:56 UTC 2004
On Sun, Jun 20, 2004 at 12:57:37PM +0100, John wrote:
> I initially thought that it was just a case of another machine with the
> same IP address, but I had the IP address for my box changed at the DHCP
> server and I get the same result. As soon as my box sends its ARP
> request, something else on the network seems to pick it up and
> re-broadcast it at 1 second intervals, faking my box's MAC address in it
> as well. I just can't imagine what kind of piece of kit would do that.
>
> Actually - perhaps you've hit on something there. If some sort of
> router or bridge is configured wrongly (so that it thinks these two
> boxes *are* on separate subnets) then it might be trying to do proxy ARP
> requests.
That was my thought. There are some stupid systems that cannot cope
with the idea that you might apply anything other than a /24 mask to
a 192.168.x subnet. Worse, there are some systems where some of the
logic can cope but other parts cannot.
IIRC when a Linux box does proxy arp it puts its own MAC address into
the response to an arp who-has, so it either isn't a Linux box or it
isn't a proxy arp issue. It is possible to have a proxy arp mechanism
that gives the MAC address of the real destination box in the who-has
response but there are several good reasons for not doing this (I think
VMWare on Linux does this if you use the bridged-network mode but those
good reasons don't apply to that special case).
Another possibility would be that some malign but not-so-clueful person
is attempting arp poisoning on your network (with seringe, for example).
> I'm not sure I can explain all the symptoms though.
If another box is responding to arp queries for your new box (whether
innocently or with malign intent), it will then be accepting packets for
the new box and forwarding them on.
A few things you can try:
Bring the box up with the 2.2 kernel and run tcpdump for a
while. Check the output for otherwise duplicate packets with
different ttl values (most proxy arp implementations decrement
the ttl value).
Check /etc/systune.conf and /etc/sysctl.ctf to see what has been
set. Anything that differes between 2.2 and 2.4 is worth
checking out.
Check for processes that are present when you boot to 2.2 but
not to 2.4
Search the network for hosts with their NICs in promiscuous
mode.
--
Bruce
What would Edward Woodward do?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040620/079dca62/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list