Re: ARP Scans

From: Neil Horman (nhorman_at_rNeOdShPaMt.com)
Date: 12/24/03

• Next message: Eric: "Wireless Througput"
• Previous message: Neil Horman: "Re: can only ping ppp peer"
• In reply to: ch ganser: "ARP Scans"
• Next in thread: Chris Richmond - MD6-FDC ~: "Re: ARP Scans"
• Reply: Chris Richmond - MD6-FDC ~: "Re: ARP Scans"
• Reply: ch ganser: "Re: ARP Scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Wed, 24 Dec 2003 08:12:17 -0500

ch ganser wrote:
> Hi
>
> In our network, some hosts behave quite strange:
> They produce between 1000-30000 arp "who-has" packages per day. our
> gateway and dns-server have only around 500.
>
> is there an other explaination than an arp scan (any normal application)?
>
> thanks
>
> chganser
>
Sure, linux by default makes sure that entries in the arp cache are
good. If you have a large network, with lots of machines on a
particular network segment (read: reachable via arp), then you will tend
to have a large arp cache on each linux box. If those machines don't
produce alot of traffic, or if your network is segmented with switch in
such a way that the linux boxes don't see that traffic, then they will
periodically send out arp requests to veryify the entires are still
good. Its quite easy on a network with a high degree of segmentation
(via switches) to have a linux box produce the number of arps you
mention. Theres nothing wrong it. If you feel that its unneeded
traffic on your network however, its also fairly easy to tune down. In
/proc/sys/net/ipv4/neigh you will find several directories, 1 for each
network interface on a system, plus a default (aka "all interfaces")
directory. In these directories are several files allowing for the
tuning of arp behavior (if you are unfamiliar with the proc filesystem,
these are also settable via the sysctl interface). The values in these
files are documented in section 7 of the arp man page (man 7 arp). Here
  you can do all sorts of things like changing the number of entries
allowed in the arp table, thresholds before the garbage collector runs,
   times to wait before verifying addresses, etc.

HTH
Neil

-- 
  Neil Horman
  Red Hat, Inc., http://people.redhat.com/nhorman
  gpg keyid: 1024D / 0x92A74FA1, http://www.keyserver.net

---

• Next message: Eric: "Wireless Througput"
• Previous message: Neil Horman: "Re: can only ping ppp peer"
• In reply to: ch ganser: "ARP Scans"
• Next in thread: Chris Richmond - MD6-FDC ~: "Re: ARP Scans"
• Reply: Chris Richmond - MD6-FDC ~: "Re: ARP Scans"
• Reply: ch ganser: "Re: ARP Scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Network interrupts ... I am a newbie trying to bring up a board on MontaVista Linux. ... board has an Intel IOP321 processor with an ARM core. ... the interface was configured correctly. ... IntelPRO/1000 Network Driver - version 5.0.43 ... (comp.os.linux.embedded) Re: Ethernet cable check ... >>nonfunctional network. ... >>the way if I later fire up the wireless interface. ... with linux around the same time i started opening PCs up and looking ... cards and not have ifconfig tell me which one had a "good physical link" ... (Fedora) Re: Questions about 192.168 ... any need for ARP. ... In order for your computer to talk to another computer on the LAN, ... internet, your computer sees that the requested address is not on your ... Folks on your network could be proxying ARP, ... (Security-Basics) Re: [2.4 PATCH] bugfix: ARP respond on all devices ... >ARP is designed to find the next hop on a LAN. ... If the host has an IP ... >to have a default gateway configured. ... >would anyone know where the packet came from since the network is not ... (Linux-Kernel) Re: Still no network... ... Linux box to see the network (2 Windows boxes ... Do NOT mix a local network with the ISP connection. ... need a 2nd interface for the LAN. ... (alt.os.linux)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)