Find the answer to your Linux question:
Results 1 to 2 of 2
Hello, My desktop computer, running fedora 8, software firewall on, selinux on, dynamic dns, my ip adress is 98.203.6.135, ron@c-98-203-6-135.hsd1.fl.comcast.net . is connected directly to Comcast via a cable modem. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2005
    Posts
    2

    arp who-has? tell?


    Hello,

    My desktop computer, running fedora 8, software firewall on, selinux on, dynamic dns, my ip adress is 98.203.6.135, ron@c-98-203-6-135.hsd1.fl.comcast.net. is connected directly to Comcast via a cable modem. I recently changed modems due to an electrical storm. I noticed the new modems pc activity light blinks continuously. This did not happen with the old modem. I read an article about tcp dump and tried # /usr/sbin/tcpdump -nS > tcpdump.log Here is part of tcpdump.log:

    08:15:47.984724 arp who-has 71.206.79.141 tell 71.206.76.1
    08:15:47.985081 arp who-has 98.203.1.140 tell 98.203.0.1
    08:15:48.160197 arp who-has 76.110.184.13 tell 76.110.184.1
    08:15:48.208245 arp who-has 66.229.170.141 tell 66.229.170.1
    08:15:48.280100 arp who-has 98.203.0.91 tell 98.203.0.1
    08:15:48.280552 arp who-has 98.203.0.92 tell 98.203.0.1
    08:15:48.280868 arp who-has 98.203.0.93 tell 98.203.0.1
    08:15:48.281164 arp who-has 98.203.0.94 tell 98.203.0.1
    08:15:48.281591 arp who-has 98.203.0.95 tell 98.203.0.1
    08:15:48.281998 arp who-has 98.203.0.96 tell 98.203.0.1
    08:15:48.282696 arp who-has 98.203.0.97 tell 98.203.0.1
    08:15:48.283852 arp who-has 98.203.0.99 tell 98.203.0.1
    08:15:48.284338 arp who-has 98.203.0.100 tell 98.203.0.1
    08:15:48.285053 arp who-has 98.203.0.101 tell 98.203.0.1
    08:15:48.285399 arp who-has 98.203.2.181 tell 98.203.0.1
    08:15:48.285699 arp who-has 98.203.0.102 tell 98.203.0.1
    08:15:48.286154 arp who-has 98.203.0.103 tell 98.203.0.1
    08:15:48.287382 arp who-has 98.203.0.105 tell 98.203.0.1
    08:15:48.287780 arp who-has 98.203.0.106 tell 98.203.0.1
    08:15:48.289626 arp who-has 98.203.0.109 tell 98.203.0.1
    08:15:48.292039 arp who-has 65.34.210.47 tell 65.34.210.1
    08:15:48.492036 arp who-has 76.110.191.29 tell 76.110.184.1
    08:15:48.513075 arp who-has 66.229.170.86 tell 66.229.170.1
    08:15:48.513366 IP 98.203.6.135.33433 > 68.87.74.162.domain: 63866+ PTR? 86.170.229.66.in-addr.arpa. (44)
    08:15:48.552057 arp who-has 98.203.1.178 tell 98.203.0.1
    08:15:48.567617 IP 68.87.74.162.domain > 98.203.6.135.33433: 63866 1/0/0 (93)
    08:15:48.676102 arp who-has 66.229.170.31 tell 66.229.170.1
    08:15:48.733381 arp who-has 98.203.3.181 tell 98.203.0.1
    08:15:48.774378 arp who-has 76.110.185.155 tell 76.110.184.1
    08:15:49.080792 arp who-has 71.206.77.81 tell 71.206.76.1
    08:15:49.118336 arp who-has 98.46.109.240 tell 98.46.109.1
    08:15:49.118731 IP 98.203.6.135.33433 > 68.87.74.162.domain: 184+ PTR? 240.109.46.98.in-addr.arpa. (44)
    08:15:49.134683 IP 68.87.74.162.domain > 98.203.6.135.33433: 184 NXDomain 0/1/0 (132)
    08:15:49.160092 arp who-has 76.110.187.17 tell 76.110.184.1
    08:15:49.208825 arp who-has 76.110.189.58 tell 76.110.184.1
    08:15:49.317184 arp who-has 65.34.210.47 tell 65.34.210.1
    08:15:49.413014 arp who-has 98.203.2.162 tell 98.203.0.1
    08:15:49.589418 arp who-has 76.110.184.13 tell 76.110.184.1
    08:15:49.592161 arp who-has 98.203.5.98 tell 98.203.0.1
    08:15:49.635103 arp who-has 76.110.185.232 tell 76.110.184.1
    08:15:49.752062 arp who-has 65.34.211.67 tell 65.34.210.1
    08:15:49.872395 arp who-has 98.203.3.153 tell 98.203.0.1
    08:15:50.091724 arp who-has 98.203.0.111 tell 98.203.0.1
    08:15:50.093236 arp who-has 98.203.0.114 tell 98.203.0.1
    08:15:50.094008 arp who-has 98.203.0.115 tell 98.203.0.1
    08:15:50.095170 arp who-has 98.203.0.117 tell 98.203.0.1
    08:15:50.098236 arp who-has 98.203.0.118 tell 98.203.0.1
    08:15:50.098577 arp who-has 98.203.0.120 tell 98.203.0.1
    08:15:50.098876 arp who-has 98.203.0.121 tell 98.203.0.1
    08:15:50.099178 arp who-has 98.203.0.122 tell 98.203.0.1
    08:15:50.099480 arp who-has 98.203.0.123 tell 98.203.0.1
    08:15:50.101209 arp who-has 98.203.0.125 tell 98.203.0.1
    08:15:50.101561 arp who-has 98.203.0.126 tell 98.203.0.1
    08:15:50.174306 arp who-has 76.110.186.255 tell 76.110.184.1
    08:15:50.174588 IP 98.203.6.135.33433 > 68.87.74.162.domain: 32460+ PTR? 255.186.110.76.in-addr.arpa. (45)
    08:15:50.190267 arp who-has 76.110.184.13 tell 76.110.184.1
    08:15:50.206890 arp who-has 98.203.0.39 tell 98.203.0.1
    08:15:50.220917 arp who-has 71.206.78.27 tell 71.206.76.1
    08:15:50.224216 arp who-has 66.229.170.254 tell 66.229.170.1
    08:15:50.228505 IP 68.87.74.162.domain > 98.203.6.135.33433: 32460 1/0/0 (95)
    08:15:50.228984 IP 98.203.6.135.33433 > 68.87.74.162.domain: 22637+ PTR? 254.170.229.66.in-addr.arpa. (45)
    08:15:50.281247 IP 68.87.74.162.domain > 98.203.6.135.33433: 22637 1/0/0 (95)
    08:15:50.282044 arp who-has 76.110.189.110 tell 76.110.184.1
    08:15:50.364382 arp who-has 98.46.109.90 tell 98.46.109.1
    08:15:50.392168 arp who-has 76.110.189.56 tell 76.110.184.1
    08:15:50.531449 arp who-has 98.203.7.246 tell 98.203.0.1
    08:15:50.538798 arp who-has 98.35.105.247 tell 98.35.105.1
    08:15:50.539099 IP 98.203.6.135.33433 > 68.87.74.162.domain: 62320+ PTR? 247.105.35.98.in-addr.arpa. (44)
    08:15:50.539324 IP 98.203.6.135.traceroute > 68.87.74.162.domain: 3108+ PTR? 247.105.35.98.in-addr.arpa. (44)
    08:15:50.568403 arp who-has 71.206.79.143 tell 71.206.76.1
    08:15:50.591548 arp who-has 66.229.170.84 tell 66.229.170.1
    08:15:50.593753 IP 68.87.74.162.domain > 98.203.6.135.33433: 62320 NXDomain 0/1/0 (132)

    Is this normal? What does all this mean?

    -macroron-

  2. #2
    Just Joined!
    Join Date
    Dec 2007
    Posts
    5
    i believe the pc activity light is supposed to blink continuously as long as the pc that is connected to the modem is switched on. The lack of blinking would indicate no data transfer between your pc and the modem. I would be concerned if it was not blinking or was off.

    most of the messages from the log show one or more systems on the comcast network (could be a dhcp server/router) sending arp packets to other systems on the network to obtain their mac addresses and those systems typically respond back to the requesting system with their mac address. this is typical behavior.

    for example, the below line means that 98.203.0.1 (most likely a comcast router) has asked a workstation on the network bearing the ipaddress 90.203.0.95 its mac address and this workstation (90.203.0.95) "tells" 98.203.0.1 (the comcast router) its mac address.

    <code>08:15:48.281591 arp who-has 98.203.0.95 tell 98.203.0.1</code>

    try googling for 'arp who-has' and you might come across several links that can help you detect if there is anything usual going on.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •