arplookup 0.0.0.0 failed: host is not on local network

Thu May 15 07:31:30 UTC 2008

Jon Radel wrote:

> to see what you can catch.
> 

First of all, thanks for taking time to help me on this.

[root at shine ~]# tcpdump -vvv -n -l -e arp
tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 
bytes
08:58:46.337968 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP 
(0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12
08:58:46.337974 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP 
(0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15
08:59:46.842884 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP 
(0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12
08:59:46.842890 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP 
(0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15
09:00:47.349826 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP 
(0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12
09:00:47.349833 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP 
(0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15
09:01:47.854742 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP 
(0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12
09:01:47.854748 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP 
(0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15
09:02:48.359670 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP 
(0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12
09:02:48.359677 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP 
(0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15
09:03:48.864618 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP 
(0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12
09:03:48.864624 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP 
(0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15
09:04:49.370546 00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff, ethertype ARP 
(0x0806), length 60: arp who-has 192.168.0.3 tell 192.168.0.12
09:04:49.370551 00:18:f3:29:d8:15 > 00:1d:60:36:34:a6, ethertype ARP 
(0x0806), length 42: arp reply 192.168.0.3 is-at 00:18:f3:29:d8:15

There is this line saying:
00:1d:60:36:34:a6 > ff:ff:ff:ff:ff:ff
and nothing has ff:ff:ff:ff:ff:ff as a mac address :)

[root at shine ~]# tcpdump -vvv -n -l -e -s 128 arp or ip | grep 0.0.0.0
tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 
128 bytes
09:10:51.405030 00:18:f3:29:d8:15 > 00:01:c0:03:7c:09, ethertype IPv4 
(0x0800), length 66: (tos 0x10, ttl 64, id 58427, offset 0, flags [DF], 
proto TCP (6), length 52, bad cksum 0 (->6565)!) 192.168.0.3.22 > 
62.97.242.6.61121: ., cksum 0xf139 (incorrect (-> 0x5ca1), 
13136:13136(0) ack 481 win 8320 <nop,nop,timestamp 1359099282 347410448>
09:11:42.703020 00:01:c0:03:7c:09 > 00:18:f3:29:d8:15, ethertype IPv4 
(0x0800), length 66: (tos 0x0, ttl 53, id 17642, offset 0, flags [DF], 
proto TCP (6), length 52) 82.137.33.24.35497 > 192.168.0.3.52332: ., 
cksum 0x7181 (correct), 938:938(0) ack 843885 win 65160 
<nop,nop,timestamp 4052665 1969055395>
09:11:51.809030 00:01:c0:03:7c:09 > 00:18:f3:29:d8:15, ethertype IPv4 
(0x0800), length 66: (tos 0x0, ttl 53, id 19037, offset 0, flags [DF], 
proto TCP (6), length 52) 82.137.33.24.35497 > 192.168.0.3.52332: ., 
cksum 0x2a5b (correct), 1135:1135(0) ack 982794 win 65160 
<nop,nop,timestamp 4053576 1969064662>

$ arp -a
hugs.carebears.lan (192.168.0.1) at 00:01:c0:03:7c:09 on nfe0 [ethernet]
shine (192.168.0.3) at 00:18:f3:29:d8:15 on nfe0 permanent [ethernet]
funshine.carebears.lan (192.168.0.12) at 00:1d:60:36:34:a6 on nfe0 
[ethernet]
? (192.168.0.255) at ff:ff:ff:ff:ff:ff on nfe0 permanent [ethernet]

I'll take you tip on shutting down one machine at a time to see which 
machine who do this. Somehow I suspect my Windows 2008 Server box :)

-- 
chs