From: Frank van Maarseveen <fvm@tasking.nl>
To: linux-kernel@vger.kernel.org
Subject: 2.4.5-pre1: Bogus ARP packets containing NFS file data?
Date: Tue, 15 May 2001 17:52:12 +0200 [thread overview]
Message-ID: <20010515175212.A31058@espoo.tasking.nl> (raw)
System is a PIII UP 2.4.5-pre1, NFS client, options from /proc/mounts:
arezzo:/usr/src/dolphin /usr/src/dolphin nfs rw,nodev,v3,rsize=32768,wsize=32768,hard,udp,nolock,addr=arezzo 0 0
Lately my "arpwatch" running on this 2.4.5-pre1 machine started to log
May 15 15:55:18 espoo arpwatch: 0:60:97:ba:b4:f5 sent bad hardware format 0x4500
hostname and Ethernet address correspond with the 2.4.5-pre1 machine itself.
To see what's really on the wire I ran "tcpdump -e -s 1500 -p -i eth0 arp"
on a separate machine with 2.4.0 and caught this:
15:55:18.404032 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11892 for proto #1500 (43) hardware #17664 (35)
15:55:18.405288 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#12077 for proto #1500 (43) hardware #17664 (35)
15:55:18.410843 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#8747 for proto #1500 (44) hardware #17664 (35)
15:55:18.412137 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#8932 for proto #1500 (44) hardware #17664 (35)
15:55:18.415833 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#9487 for proto #1500 (44) hardware #17664 (35)
15:55:18.419554 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#10042 for proto #1500 (44) hardware #17664 (35)
15:55:18.424481 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#10782 for proto #1500 (44) hardware #17664 (35)
15:55:18.430703 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11707 for proto #1500 (44) hardware #17664 (35)
15:55:19.091599 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11337 for proto #1500 (45) hardware #17664 (35)
15:55:19.095912 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11892 for proto #1500 (45) hardware #17664 (35)
15:55:19.103662 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#8932 for proto #1500 (46) hardware #17664 (35)
15:55:19.104894 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#9117 for proto #1500 (46) hardware #17664 (35)
15:55:19.108663 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#9672 for proto #1500 (46) hardware #17664 (35)
15:55:19.109921 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#9857 for proto #1500 (46) hardware #17664 (35)
15:55:19.111215 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#10042 for proto #1500 (46) hardware #17664 (35)
15:55:19.112471 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#10227 for proto #1500 (46) hardware #17664 (35)
15:55:19.113725 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#10412 for proto #1500 (46) hardware #17664 (35)
15:55:19.125308 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 418: arp-#4070 for proto #404 (46) hardware #17664 (35)
15:55:20.493244 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11337 for proto #1500 (47) hardware #17664 (35)
15:55:20.494538 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11522 for proto #1500 (47) hardware #17664 (35)
15:55:20.495795 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11707 for proto #1500 (47) hardware #17664 (35)
15:55:20.497088 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#11892 for proto #1500 (47) hardware #17664 (35)
15:55:20.498383 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#12077 for proto #1500 (47) hardware #17664 (35)
15:55:20.507651 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#9302 for proto #1500 (48) hardware #17664 (35)
15:55:20.508951 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#9487 for proto #1500 (48) hardware #17664 (35)
15:55:20.511465 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#9857 for proto #1500 (48) hardware #17664 (35)
15:55:20.513990 P 0:60:97:ba:b4:f5 0:0:0:0:0:1 arp 1514: arp-#10227 for proto #1500 (48) hardware #17664 (35)
A second run with an additional "-w file" option caught another bunch of
these. "strings -a file" showed (both good and bad packets):
...
!xBk
LLLLLLLLLLLLLLLLLLL
s
CCCCCCCCCCCCCCCCCCC
=> espoo
=> b0VIM 5.7
=> espoo
=> ~fvm/ctri/c_flow.c
=> 3210#"!
=> espoo
=> b0VIM 5.7
=> espoo
=> ~fvm/ctri/c_flow.c
=> 3210#"!
WWWWWWWWWWWWWWWWWWW
yyyyyyyyyyyyyyyyyyy
wwwwwwwwwwwwwwwwwww
RRRRRRRRRRRRRRRRRRR
@@@@@@@@@@@@@@@@@@@
DDDDDDDDDDDDDDDDDDD
ooooooooooooooooooo
...
Now this is strange. Everything marked with "=>" can be found in a temporary
file made by VIM on NFS on this 2.4.5-pre1 machine. To be more precise, I was
working on a file named "c_flow.c" and noticed a delay of a few seconds while
VIM was writing the ".c_flow.c.swp" file (guess). At the same time "arpwatch"
complained and I terminated the tcpdump to see what has been logged so far.
The ".c_flow.c.swp" file starts with a magic header "b0VIM 5.7".
--
Frank
next reply other threads:[~2001-05-15 15:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-05-15 15:52 Frank van Maarseveen [this message]
2001-05-15 16:47 ` 2.4.5-pre1: Bogus ARP packets containing NFS file data? (2) Frank van Maarseveen
2001-05-15 17:06 ` 2.4.5-pre1: Bogus ARP packets containing NFS file data? (3) Frank van Maarseveen
2001-05-16 13:21 ` 2.4.5-pre2: Bogus ARP packets containing NFS file data? Frank van Maarseveen
2001-05-18 19:22 ` 2.4.x: Bogus ARP packets containing NFS file data Frank van Maarseveen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20010515175212.A31058@espoo.tasking.nl \
--to=fvm@tasking.nl \
--cc=frank_van_maarseveen@tasking.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox