[lug] Linux boxes drop off the net? The saga continues...

Gary Frerking garyf at turbopower.com
Wed Feb 7 23:56:19 MST 2001 

Okay, this is really getting weird.

I did a dump with TCPDump earlier today, and had a good look at all the 
ARP traffic with Ethereal.

I saw a bazillion ARP requests from just about every device on the 
network (including the router, so it *is* doing ARP requests about every 
10 min).

A typical request looks like this:

-----

Who has XXX.XXX.XXX.115? Tell XXX.XXX.XXX.1

Ethernet Packet header:

   Dest: ff:ff:ff:ff:ff:ff  (broadcast)
   Src:  00:00:0c:8d:4d:03  (router's mac address)

ARP Packet (request):

   Sender hardware address: 00:00:0c:8d:4d:03
   Sender protocol address: XXX.XXX.XXX.1
   Target hardware address: 00:00:00:00:00:00
   Target protocol address: XXX.XXX.XXX.115

Looks like a textbook ARP request to me.

=====

As far as I can tell, this is *supposed* to be an
ARP request from one of my Linux machines:

-----

Who has XXX.XXX.XXX.1? Tell XXX.XXX.XXX.61

Ethernet Packet header:

   Dest: 00:90:27:91:ae:77 (this is Linux box's mac!!)
   Src: 00:00:00:00:00:00 (huh??)

ARP Packet (request):

   Sender hardware address: 00:90:27:91:ae:77  // Okay
   Sender protocol address: XXX.XXX.XXX.61     // Okay
   Target hardware address: 00:00:00:00:00:00  // Okay
   Target protocol address: XXX.XXX.XXX.1      // Okay

Isn't this wacko?????

=====

Replies from the Linux box look similarly hosed.
Here's a sample:

XXX.XXX.XXX.61 is at 00:90:27:91:ae:77

Ethernet Packet header:

   Dest: 00:90:27:91:ae:77 (again, this is Linux box's mac!!)
   Src: 00:00:00:00:00:00 (huh??)

ARP Packet (reply):

   Sender hardware address: 00:90:27:91:ae:77   // Okay
   Sender protocol address: XXX.XXX.XXX.61      // Okay
   Target hardware address: 00:01:02:35:79:a4   // Okay
   Target protocol address: XXX.XXX.XXX.105     // Okay

=====

Comments welcome, I certainly don't have a clue what's going on here. 
Looks like a kernel bug to me (2.2.16-22).

After a bit of thought, I've convinced myself that it *could* explain 
the symptoms I'm seeing. The ARP replies never make it to their 
destination (ie. the router when it makes its round of requests -- so 
the router is not able to discover/cache the Linux box's mac until the 
Linux box sends something out through the router.

How is the Linux box getting anything out at all? I suppose it's somehow 
able to survive on TCP/IP alone?? Or maybe it properly forms ARP packets 
in some cases but not others??


-- Gary

More information about the LUG mailing list