[lug] Linux boxes drop off the net? Router problem?

D. Stimits stimits at idcomm.com
Tue Feb 6 14:12:18 MST 2001


Sebastian Sobolewski wrote:
> 
> An Explanation of ARP:
> 
> When a host needs to send a datagram to another host on the same network,
> the sending application must know both the IP and MAC addresses of the
> intended receiver; this is because the destination IP address is placed in
> the IP packet and the destination MAC address is placed in the LAN MAC
> protocol frame. (If the destination host is on another network, the sender
> will look instead for the MAC address of the default gateway, or router.)
> Unfortunately, the sender's IP process may not know the MAC address of the
> intended receiver on the same network. The Address Resolution Protocol
> (ARP), described in RFC 826, provides a mechanism so that a host can learn
> a receiver's MAC address when knowing only the IP address. The process is
> actually relatively simple: the host sends an ARP Request packet in a frame
> containing the MAC broadcast address; the ARP request advertises the
> destination IP address and asks for the associated MAC address. The station
> on the LAN that recognizes its own IP address will send an ARP Response
> with its own MAC address. As Figure 1 shows, ARP message are carried
> directly in the LAN frame and ARP is an independent protocol from IP. The
> IANA maintains a list of all ARP parameters.
> 
> (Stolen from: http://www.hill.com/library/publications/tcpip.shtml )
> 

Based on this, is it possible the broadcast address is incorrect and
causing this (not necessarily at the linux machine, but possibly)?

> --------------------
>          ARP is handled by the Linux TCP/IP stack.. but it could still be
> possible that one of your security packages is blocking ARP packets. To
> make ARP queries you can use the built in Linux/Unix "arp -a"
> executable.  This will list all ip<->mac addresses discovered on the
> network by the kernel. If it's not your security software then it must be
> either the switch or the cisco router not causing the drops.
>    My guess would be that one or both of the boxes are relying on ARP for
> intelligent packet routing.  Is there anyway that you can isolate a ping so
> that it does NOT hit the router?  This could let you figure out if it's the
> router or the switch.
>          I also believe that both the switch and the Cisco router have the
> ability to log into and display current ARP tables. (either through the
> network or the serial manage port on the back of the devices)  You could
> have your network admin check that to see what the switch and router think
> they see on the network.
> 
> Unfortunately this is where my knowledge of routing ends.
> 
> Either way I hope this helps a bit more.
> -Sebastian
> 
> > >> You mentioned that you had several security packages installed on all of
> >the linux machines. Perhaps one of them is filtering ARP messages? <<
> >
> >Hmmm...
> >
> >ARP is handled by the kernel, isn't it?
> >
> >I'm asking to make sure I didn't turn off a daemon or something that handles
> >it. I have ArpWatch turned off, for example, but I'm pretty sure that's
> >okay.
> >
> >Is there some sort of ARP client that I could use from a Linux or Solaris
> >box to query another and see if/how it responds?
> >
> >Okay, here's some more [potentially very relevent] info: when I verified
> >with our SysAdmin that our hubs were unmanaged hubs (and explained why I was
> >asking) he "happened to mention" that he turned off a bunch of features on
> >the router some time ago (probably at least a year ago) -- he described the
> >features to me as "RIP this and ARP that" -- he said he had to turn them off
> >to resolve some other sort of misrouting issue with our ISP.
> >
> >Is it possible that he turned off one feature too many, and now the router
> >*isn't* using ARP to check for connected machines? Windows machines are
> >obviously noisy enough on the network to keep the router informed of where
> >they are without ARP. Linux boxes are quiet enough when they're not doing
> >something that they could be missed, I suppose.
> >
> >Our SysAdmin is pretty good in many respects, but I think he'd be the first
> >to say that he falls short of the "guru level" in some areas -- Linux is
> >definitely one of them, and I don't think he knows everything there is to
> >know about router configuration either.
> >
> >-- Gary
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> Sebastian Sobolewski
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list