Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    which process generating specified packet?


    I'm using RedHat 9.0. I am sniffing my eth0 interface to check the packets. I saw the following things in output:

    Sender Ether address: 00:10:dc:f1:f7:64
    Sender IP address:
    Target Ether address: ff:ff:ff:ff:ff:ff
    Target IP address:

    1185 1115814721.463680 | ETH 00:10:dc:f1:f7:64->ff:ff:ff:ff:ff:ff | ARP request
    1449 1115814723.552794 | ETH 00:10:dc:f1:f7:64->ff:ff:ff:ff:ff:ff | ARP request
    1666 1115814725.644405 | ETH 00:10:dc:f1:f7:64->ff:ff:ff:ff:ff:ff | ARP request
    1944 1115814727.746263 | ETH 00:10:dc:f1:f7:64->ff:ff:ff:ff:ff:ff | ARP request
    2253 1115814729.828879 | ETH 00:10:dc:f1:f7:64->ff:ff:ff:ff:ff:ff | ARP request
    2509 1115814731.928113 | ETH 00:10:dc:f1:f7:64->ff:ff:ff:ff:ff:ff | ARP request

    How to get what local process generating such packets?


  2. #2
    from it being the same source and recieving address i found this:

    What is gratuitous ARP?
    When a host sends an ARP request to resolve its own IP address, it is called gratuitous ARP. In the ARP request packet, the source IP address and destination IP address are filled with the same source IP address itself. The destination MAC address is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF).

    What is the use of gratuitous ARP?
    Gratuitous ARP is used for the following:
    In a properly configured network, there will not be an ARP reply for a gratuitous ARP request. But if another host in the network is also configured with the same IP address as the source host, then the source host will get an ARP reply. In this way, a host can determine whether another host is also configured with its IP address.
    When the network interface card in a system is changed, the MAC address to its IP address mapping is changed. In this case, when the host is rebooted, it will send an ARP request packet for its own IP address. As this is a broadcast packet, all the hosts in the network will receive and process this packet. They will update their old mapping in the ARP cache with this new mapping.

    from the web site at

    what do you get from the command:
    ps axu
    that will print your currently running processes.

  3. #3

    Thank you

    Thank you for your reply.

    The next question. I have my collocation server installed at ISP site. They said that my server sends packets with different MAC address and it makes the following lines in their router logs:

    17:17:01 MSD: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
    occurred, caused by MAC address 000c.7620.a794 on port FastEthernet0/18.

    17:21:40 MSD: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/18, putting Fa0/18 in err-disable state May
    12 17:21:40 MSD: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0010.dcf1.f764 on port FastEthernet0/18.

    000c.7620.a794 - is the correct MAC of the server's ethernet card (eth0 interface)

    0010.dcf1.f764 related to

    Why this is happening? I saw such packets in my sniffer log.

    This is happened exactly after the server rebooted hard.

    Any suggestions?

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts