Arp warnings at console, IP moving from/to same MAC address? - SCO

This is a discussion on Arp warnings at console, IP moving from/to same MAC address? - SCO ; Have a vendor-supported Unixware 7.1.3 server that is being flooded by ARP messages at the console. I understand that when you see an ARP message with the same IP address yet different MAC addresses, it is generally a sign that ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Arp warnings at console, IP moving from/to same MAC address?

  1. Arp warnings at console, IP moving from/to same MAC address?

    Have a vendor-supported Unixware 7.1.3 server that is being flooded by
    ARP messages at the console.
    I understand that when you see an ARP message with the same IP address
    yet different MAC addresses, it is generally a sign that you have
    duplicate IP's on your network.
    The messages that are displaying on our server have both the same IP
    address and the same MAC address, though. Vendor has no idea what is
    causing the issue and asked us to call them if we fix it so they know.

    I have looked up each of the "offending" IP's, and they are all
    printers. I'm not a Unix guy, so I'm hoping this makes sense to
    someone here.

    Example messages at console:
    WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc

    Appreciate any help.


  2. Re: Arp warnings at console, IP moving from/to same MAC address?

    On 7 Mar, 19:50, corey.robin...@knoxcommhosp.org wrote:
    > Have a vendor-supported Unixware 7.1.3 server that is being flooded by
    > ARP messages at the console.
    > I understand that when you see an ARP message with the same IP address
    > yet different MAC addresses, it is generally a sign that you have
    > duplicate IP's on your network.
    > The messages that are displaying on our server have both the same IP
    > address and the same MAC address, though. Vendor has no idea what is
    > causing the issue and asked us to call them if we fix it so they know.
    >
    > I have looked up each of the "offending" IP's, and they are all
    > printers. I'm not a Unix guy, so I'm hoping this makes sense to
    > someone here.
    >
    > Example messages at console:
    > WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    > WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >
    > Appreciate any help.


    Looks to me like some sort of teaming of NICs. Setting a static arp
    MAC address entry will stop the warnings.

    John


  3. Re: Arp warnings at console, IP moving from/to same MAC address?

    jboland@sco.com wrote (on Fri, Mar 09, 2007 at 06:26:50AM -0800):
    > On 7 Mar, 19:50, corey.robin...@knoxcommhosp.org wrote:
    > > I have looked up each of the "offending" IP's, and they are all
    > > printers. I'm not a Unix guy, so I'm hoping this makes sense to
    > > someone here.
    > >
    > > Example messages at console:
    > > WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    > > WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    > >
    > > Appreciate any help.

    >
    > Looks to me like some sort of teaming of NICs. Setting a static arp
    > MAC address entry will stop the warnings.
    >
    > John


    But how are the messages being generated, John? Is something else
    (besides IP & MAC address) being passed which gets checked, found to
    have changed, and causes the message? IOW, how does the kernel 'know'
    that there are two NICs?

    --
    _________________________________________
    Nachman Yaakov Ziskind, FSPA, LLM awacs@ziskind.us
    Attorney and Counselor-at-Law http://ziskind.us
    Economic Group Pension Services http://egps.com
    Actuaries and Employee Benefit Consultants

  4. Re: Arp warnings at console, IP moving from/to same MAC address?

    On Mar 9, 12:27 pm, Bill Campbell wrote:

    > >> Looks to me like some sort of teaming of NICs. Setting a static arp
    > >> MAC address entry will stop the warnings.

    >
    > >> John

    >


    I did an "arp -a" as root on the server to see how the other entries
    entered by the vendor looked,
    and entered new arp messages for these printers copying their format.
    Doesn't appear to have worked,
    so instead of using their generic hostname and then the MAC address, I
    think I might try the IP address
    followed by the MAC address.

    > The ``moved from xxx to yyy'' is saying that the IP address moved from a
    > NIC with MAC address xxx to one with MAC yyy.
    >
    > This may be two machines getting assigned the same IP address by a DHCP
    > server, which is probably legitimate, or possibly somebody a couple of
    > machines assigned the same static IP address, which isn't.
    >
    >
    > Bill

    Not only is the IP address the same, the MAC addresses are the same as
    well. There is no "MAC yyy", just "MAC xxx"
    as the "from" and the "to" for each arp message.

    I'll keep trying these suggestions, the addition to the arp table just
    seems like it should work.

    Thanks,
    FuzzyLogic



  5. Re: Arp warnings at console, IP moving from/to same MAC address?

    On Mar 7, 10:50 am, corey.robin...@knoxcommhosp.org wrote:
    > Have a vendor-supported Unixware 7.1.3 server that is being flooded by
    > ARP messages at the console.
    > I understand that when you see an ARP message with the same IP address
    > yet different MAC addresses, it is generally a sign that you have
    > duplicate IP's on your network.
    > The messages that are displaying on our server have both the same IP
    > address and the same MAC address, though. Vendor has no idea what is
    > causing the issue and asked us to call them if we fix it so they know.
    >
    > I have looked up each of the "offending" IP's, and they are all
    > printers. I'm not a Unix guy, so I'm hoping this makes sense to
    > someone here.
    >
    > Example messages at console:
    > WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    > WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >
    > Appreciate any help.


    I just got one of these today on an OpenServer 6. Turns out there
    were duplicate IP addresses on the network. Not helpful that the
    warning just repeats the MAC address of one of the offenders.

    --Ray Robert
    Three Star Software


  6. Re: Arp warnings at console, IP moving from/to same MAC address?

    ThreeStar wrote:
    > On Mar 7, 10:50 am, corey.robin...@knoxcommhosp.org wrote:
    >> Have a vendor-supported Unixware 7.1.3 server that is being flooded by
    >> ARP messages at the console.
    >> I understand that when you see an ARP message with the same IP address
    >> yet different MAC addresses, it is generally a sign that you have
    >> duplicate IP's on your network.
    >> The messages that are displaying on our server have both the same IP
    >> address and the same MAC address, though. Vendor has no idea what is
    >> causing the issue and asked us to call them if we fix it so they know.
    >>
    >> I have looked up each of the "offending" IP's, and they are all
    >> printers. I'm not a Unix guy, so I'm hoping this makes sense to
    >> someone here.
    >>
    >> Example messages at console:
    >> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >>
    >> Appreciate any help.

    >
    > I just got one of these today on an OpenServer 6. Turns out there
    > were duplicate IP addresses on the network. Not helpful that the
    > warning just repeats the MAC address of one of the offenders.


    Amen to that. But if DNS is working properly, pinging the offending
    IP address should display the host name of at least one of the machines
    with the duplicate IP address. Visit that machine and change its
    IP address to a known available address and the problem should be solved.


    >
    > --Ray Robert
    > Three Star Software
    >


  7. Re: Arp warnings at console, IP moving from/to same MAC address?

    On Sat, Mar 10, 2007, Steve M. Fabac, Jr. wrote:
    >ThreeStar wrote:
    >> On Mar 7, 10:50 am, corey.robin...@knoxcommhosp.org wrote:
    >>> Have a vendor-supported Unixware 7.1.3 server that is being flooded by
    >>> ARP messages at the console.
    >>> I understand that when you see an ARP message with the same IP address
    >>> yet different MAC addresses, it is generally a sign that you have
    >>> duplicate IP's on your network.
    >>> The messages that are displaying on our server have both the same IP
    >>> address and the same MAC address, though. Vendor has no idea what is
    >>> causing the issue and asked us to call them if we fix it so they know.
    >>>
    >>> I have looked up each of the "offending" IP's, and they are all
    >>> printers. I'm not a Unix guy, so I'm hoping this makes sense to
    >>> someone here.
    >>>
    >>> Example messages at console:
    >>> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >>> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >>>
    >>> Appreciate any help.

    >>
    >> I just got one of these today on an OpenServer 6. Turns out there
    >> were duplicate IP addresses on the network. Not helpful that the
    >> warning just repeats the MAC address of one of the offenders.

    >
    >Amen to that. But if DNS is working properly, pinging the offending
    >IP address should display the host name of at least one of the machines
    >with the duplicate IP address. Visit that machine and change its
    >IP address to a known available address and the problem should be solved.


    No. That's only going to give the hostname of the IP address,
    which you already know.

    This should return the name the machine know -- assuming it's not
    running the Microsoft virus, Windows:

    ssh 10.0.44.155 hostname

    Bill
    --
    INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

    ``Our Foreign dealings are an Open Book, generally a Check Book.''
    Will Rogers

  8. Re: Arp warnings at console, IP moving from/to same MAC address?

    Bill Campbell wrote:

    > On Sat, Mar 10, 2007, Steve M. Fabac, Jr. wrote:
    > >ThreeStar wrote:
    > >> On Mar 7, 10:50 am, corey.robin...@knoxcommhosp.org wrote:
    > >>> Have a vendor-supported Unixware 7.1.3 server that is being flooded by
    > >>> ARP messages at the console.
    > >>> I understand that when you see an ARP message with the same IP address
    > >>> yet different MAC addresses, it is generally a sign that you have
    > >>> duplicate IP's on your network.
    > >>> The messages that are displaying on our server have both the same IP
    > >>> address and the same MAC address, though. Vendor has no idea what is
    > >>> causing the issue and asked us to call them if we fix it so they know.
    > >>>
    > >>> I have looked up each of the "offending" IP's, and they are all
    > >>> printers. I'm not a Unix guy, so I'm hoping this makes sense to
    > >>> someone here.
    > >>>
    > >>> Example messages at console:
    > >>> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    > >>> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    > >>>
    > >>> Appreciate any help.
    > >>
    > >> I just got one of these today on an OpenServer 6. Turns out there
    > >> were duplicate IP addresses on the network. Not helpful that the
    > >> warning just repeats the MAC address of one of the offenders.

    > >
    > >Amen to that. But if DNS is working properly, pinging the offending
    > >IP address should display the host name of at least one of the machines
    > >with the duplicate IP address. Visit that machine and change its
    > >IP address to a known available address and the problem should be solved.

    >
    > No. That's only going to give the hostname of the IP address,
    > which you already know.
    >
    > This should return the name the machine know -- assuming it's not
    > running the Microsoft virus, Windows:
    >
    > ssh 10.0.44.155 hostname


    That's assuming you have some sort of key infrastructure to the machine,
    or know an account & password.

    But even more troublesome, if you have two machines responding to that
    IP address, your connect attempt is going to get messed up.

    It looks like an OSR6 kernel bug causing it to report identical ARP
    addresses. A mistake in the parameters of the warning printf.

    Assuming those messages aren't coming too closely together, you (Corey)
    should be able to periodically run `arp 10.0.44.155` and eventually see
    reports of both ARP addresses. You'll already know the host name of
    10.0.44.155 and can check its ARP address by logging in on its console
    (I'm assuming its network is flaky at best, with another machine trying
    to claim its IP address). By eliminating the proper ARP for that IP,
    you'll get the ARP of the culprit. Then "all" you have to do is track
    down the owner of that ARP address.

    Tools exist to translate an ARP into a vendor & model, but that will
    just tell you a brand/model of card (Zytel 83659...) -- it won't tell
    you what the outside of the box looks like (IBQ PowerBlade t9700). Good
    luck...

    >Bela<


  9. Re: Arp warnings at console, IP moving from/to same MAC address?

    Bela Lubkin wrote:
    > Bill Campbell wrote:
    >
    >> On Sat, Mar 10, 2007, Steve M. Fabac, Jr. wrote:
    >>> ThreeStar wrote:
    >>>> On Mar 7, 10:50 am, corey.robin...@knoxcommhosp.org wrote:
    >>>>> Have a vendor-supported Unixware 7.1.3 server that is being flooded by
    >>>>> ARP messages at the console.
    >>>>> I understand that when you see an ARP message with the same IP address
    >>>>> yet different MAC addresses, it is generally a sign that you have
    >>>>> duplicate IP's on your network.
    >>>>> The messages that are displaying on our server have both the same IP
    >>>>> address and the same MAC address, though. Vendor has no idea what is
    >>>>> causing the issue and asked us to call them if we fix it so they know.
    >>>>>
    >>>>> I have looked up each of the "offending" IP's, and they are all
    >>>>> printers. I'm not a Unix guy, so I'm hoping this makes sense to
    >>>>> someone here.
    >>>>>
    >>>>> Example messages at console:
    >>>>> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >>>>> WARNING: arp: 10.0.44.155 moved from O:4:O:dd:48:cc to O:4:O:dd:48:cc
    >>>>>
    >>>>> Appreciate any help.
    >>>> I just got one of these today on an OpenServer 6. Turns out there
    >>>> were duplicate IP addresses on the network. Not helpful that the
    >>>> warning just repeats the MAC address of one of the offenders.
    >>> Amen to that. But if DNS is working properly, pinging the offending
    >>> IP address should display the host name of at least one of the machines
    >>> with the duplicate IP address. Visit that machine and change its
    >>> IP address to a known available address and the problem should be solved.

    >> No. That's only going to give the hostname of the IP address,
    >> which you already know.
    >>
    >> This should return the name the machine know -- assuming it's not
    >> running the Microsoft virus, Windows:
    >>
    >> ssh 10.0.44.155 hostname

    >
    > That's assuming you have some sort of key infrastructure to the machine,
    > or know an account & password.
    >
    > But even more troublesome, if you have two machines responding to that
    > IP address, your connect attempt is going to get messed up.
    >
    > It looks like an OSR6 kernel bug causing it to report identical ARP
    > addresses. A mistake in the parameters of the warning printf.
    >
    > Assuming those messages aren't coming too closely together, you (Corey)
    > should be able to periodically run `arp 10.0.44.155` and eventually see
    > reports of both ARP addresses. You'll already know the host name of
    > 10.0.44.155 and can check its ARP address by logging in on its console
    > (I'm assuming its network is flaky at best, with another machine trying
    > to claim its IP address). By eliminating the proper ARP for that IP,
    > you'll get the ARP of the culprit. Then "all" you have to do is track
    > down the owner of that ARP address.
    >


    Running arpwatch on a nearby Linux PC (e.g. boot a laptop using a live
    Linux CD) might provide better identification of the two MAC* addresses
    involved.

    I'm not sure if arpwatch is available for OSR6. I imagine some of the
    problems with libpcap based apps may have gone away.

    * Terminology: by "MAC address" I mean the same as I think Bela means by
    "ARP address" and others by "Ethernet address".

  10. Re: Arp warnings at console, IP moving from/to same MAC address?

    > >It looks like an OSR6 kernel bug causing it to report identical ARP
    > >addresses. A mistake in the parameters of the warning printf.
    > >

    > Running arpwatch on a nearby Linux PC (e.g. boot a laptop using a live
    > Linux CD) might provide better identification of the two MAC* addresses
    > involved.


    Easy enough to check.

    Can someone with a OSR6 (i.e., not me) how it up to two devices with the
    same IP to check?

    --
    _________________________________________
    Nachman Yaakov Ziskind, FSPA, LLM awacs@ziskind.us
    Attorney and Counselor-at-Law http://ziskind.us
    Economic Group Pension Services http://egps.com
    Actuaries and Employee Benefit Consultants

+ Reply to Thread