SNMP ARP Table Delay or Bug

blak111 · Nov 25, 2008, 12:27 AM

I'm not sure if this is a bug, but I have a setup that checks for arp poisoning using arpwatch. I went to test it and after I poison a host, the changed mac address to IP binding isn't reflected in the arp table retrieved from pfSense via SNMP. It does appear immediately under the ARP Tables on the web interface.
Is this an intentional long delay to populate those SNMP arp tables, or is it just a bug of the tables not being updated with new values?

Thanks,
Kevin

P.S. I verified it's not just the arpwatch program by performing an snmpwalk on the device and piping the results into grep to see the IP to MAC entry myself.

blak111 · Nov 25, 2008, 6:40 PM

For some additional information, this only appears to be a problem on 1.2.1. The arp entries reported by a 1.2 release are updated immediately. It seems like once an entry is added to the SNMP table, it never changes.

blak111 · Nov 29, 2008, 6:13 AM

Do I need to post some more info or screenshots?

YoMarK · Dec 3, 2008, 10:12 AM

Don't know if the SNMP agent on PfSense uses caching, but this could be the problem.

blak111 · Dec 4, 2008, 12:06 AM

It just started happening with the 1.2.1 release, so maybe some caching did get turned on during the change. The values change right away with 1.2.