Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ARPWatch FlipFlop

    Scheduled Pinned Locked Moved Traffic Monitoring
    6 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Technolust
      last edited by

      Getting ARPWatch Flip Flop Messages every 34 minutes from a Kali Purple Box with two Nic cards.

      LAN	192.168.0.224	e9:4e:06:87:30:45
LAN	192.168.0.225	a9:a1:59:d6:f5:dd
LAN	192.168.0.225	e9:4e:06:87:30:45

      I know I could suppress the flip flop messages but I would like to understand how/why the Mac is flip flopping between the IP addresses?

      On the Nic settings for each card I specified which Mac to user for each device.
      I set NIC 1 (Wired connection 1) to the .255 IP address - Mac = a9:a1:59:d6:f5:dd
      I set NIC 2 (Wired connection 2) to the 224 IP address - Mac = e9:4e:06:87:30:45

      Is there a way to clear the ARP Watch database/table?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Technolust
        last edited by

        @Technolust said in ARPWatch FlipFlop:

        Is there a way to clear the ARP Watch database/table?

        If you check the clear database checkbox it should clear it on an uninstall. Or you could always do it manually, just disable arpwatch and in then the /usr/local/arpwatch folder delete the .dat and .dat- files. Then restart arpwatch

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        T 1 Reply Last reply Reply Quote 0
        • T
          Technolust @johnpoz
          last edited by

          @johnpoz I removed them manually but Arpwatch still sees them the same way. I'm not sure why Kali Purple is showing NIC one with both Mac addresses and NIC2 with only one MAC address.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Technolust
            last edited by johnpoz

            @Technolust so your db cleared?

            So I stopped arpwatch by unchecking the enable checkbox. My db not very large because only ran it for a very short time to fill the db with stuff.

            You can see current db, then deleted the dat files, now db is empty

            arpwatch.jpg

            If your db was empty, and then your multiple entries show up, or flipflops - then they are happening, and not just some old entry in your db.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            T 1 Reply Last reply Reply Quote 0
            • T
              Technolust @johnpoz
              last edited by Technolust

              @johnpoz Yep, I cleared the db just like the pictures you showed and it started rebuilding the arp table again. So it does look like they are flip flopping but I did learn it is only happening on one of the two NIC Cards. .225 Nic 1 shows both Mac addresses from NIC 1 and NIC 2 in the ARP table...

              LAN	192.168.0.224	e9:4e:06:87:30:45	EDUP INTERNATIONAL (HK) CO., LTD		Sat Apr 20 09:13:05 2024
LAN	192.168.0.225	a9:a1:59:d6:f5:dd	ASRock Incorporation		Sat Apr 20 09:08:00 2024
LAN	192.168.0.225	e9:4e:06:87:30:45	EDUP INTERNATIONAL (HK) CO., LTD		Sat Apr 20 09:05:33 2024

              For now I just suppressed the MAC addresses but I would really like to know why Kali is reporting both NIC Card Mac addresses on NIC 1 in the Arp table.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @Technolust
                last edited by

                @Technolust said in ARPWatch FlipFlop:

                but I would really like to know why Kali is reporting both NIC Card Mac addresses

                Get with Kali support or their forums.. Pfsense has nothing to do with what mac addresses something puts on the wire.. Arpwatch just reports what it sees.

                how about a simple ifconfig output from this kali box, it will show what mac address are listed for an interface.

                example - here is my nas that has multiple interfaces, and what mac they list for each instance of an interface.. It has multiples, running docker instances and running open vswitch for vms on it, etc.

                ash-4.4# ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:78:C0:11:CE  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27465728 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25377979 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7155321949 (6.6 GiB)  TX bytes:21376593584 (19.9 GiB)

docker186 Link encap:Ethernet  HWaddr A2:67:DD:19:CA:1F  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6129118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6001634 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1837704920 (1.7 GiB)  TX bytes:5085324938 (4.7 GiB)

docker20b Link encap:Ethernet  HWaddr 56:D8:D5:4C:EB:FC  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15687 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18240 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6228616 (5.9 MiB)  TX bytes:43599547 (41.5 MiB)

docker31b Link encap:Ethernet  HWaddr 96:2C:75:39:15:E7  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:169561 errors:0 dropped:0 overruns:0 frame:0
          TX packets:391739 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:29968172 (28.5 MiB)  TX bytes:986563196 (940.8 MiB)

docker370 Link encap:Ethernet  HWaddr 7E:78:87:D7:59:4B  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:453 errors:0 dropped:0 overruns:0 frame:0
          TX packets:764 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6244119 (5.9 MiB)  TX bytes:90911 (88.7 KiB)

docker4ce Link encap:Ethernet  HWaddr 16:7A:43:EE:F4:12  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:469 errors:0 dropped:0 overruns:0 frame:0
          TX packets:771 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1341275 (1.2 MiB)  TX bytes:115507 (112.7 KiB)

docker912 Link encap:Ethernet  HWaddr 46:DE:B4:A8:8C:EB  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:351 errors:0 dropped:0 overruns:0 frame:0
          TX packets:470 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2882984 (2.7 MiB)  TX bytes:76041 (74.2 KiB)

dockerb04 Link encap:Ethernet  HWaddr FE:76:AE:22:81:AF  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14699786 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12747545 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3199311528 (2.9 GiB)  TX bytes:7503928522 (6.9 GiB)

dockercae Link encap:Ethernet  HWaddr 4E:66:60:17:BE:AE  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:91850 errors:0 dropped:0 overruns:0 frame:0
          TX packets:145589 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:18155461 (17.3 MiB)  TX bytes:159648970 (152.2 MiB)

dockerf06 Link encap:Ethernet  HWaddr FA:29:C2:0E:2A:84  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6492 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7026 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:16969805 (16.1 MiB)  TX bytes:3162842 (3.0 MiB)

eth0      Link encap:Ethernet  HWaddr 00:11:32:7B:29:7D  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:265420473 errors:3 dropped:0 overruns:0 frame:3
          TX packets:1765623495 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:70895377842 (66.0 GiB)  TX bytes:2581175800785 (2.3 TiB)

eth1      Link encap:Ethernet  HWaddr 00:11:32:7B:29:7E  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:25018342 errors:3 dropped:0 overruns:0 frame:3
          TX packets:1443762 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:15282717582 (14.2 GiB)  TX bytes:154776134 (147.6 MiB)

eth2      Link encap:Ethernet  HWaddr A0:CE:C8:CC:57:AA  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:934106059 errors:0 dropped:0 overruns:0 frame:0
          TX packets:213838422 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1364844623928 (1.2 TiB)  TX bytes:252703732636 (235.3 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:179040222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:179040222 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:51348338307 (47.8 GiB)  TX bytes:51348338307 (47.8 GiB)

ovs_eth0  Link encap:Ethernet  HWaddr 00:11:32:7B:29:7D  
          inet addr:192.168.9.10  Bcast:192.168.9.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:222736950 errors:0 dropped:0 overruns:0 frame:0
          TX packets:593494311 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:52112776572 (48.5 GiB)  TX bytes:2502798699286 (2.2 TiB)

ovs_eth1  Link encap:Ethernet  HWaddr 00:11:32:7B:29:7E  
          inet addr:192.168.9.11  Bcast:192.168.9.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:994257 errors:0 dropped:57 overruns:0 frame:0
          TX packets:1307475 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:9333479066 (8.6 GiB)  TX bytes:145641239 (138.8 MiB)

ovs_eth2  Link encap:Ethernet  HWaddr A0:CE:C8:CC:57:AA  
          inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:118693348 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54479729 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1332228115488 (1.2 TiB)  TX bytes:244367874136 (227.5 GiB)

tap021132 Link encap:Ethernet  HWaddr 26:77:DB:5D:C3:FD  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:3483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11280 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2638777 (2.5 MiB)  TX bytes:1720089 (1.6 MiB)

tap021132 Link encap:Ethernet  HWaddr 16:59:FE:98:2C:BF  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:132802 errors:0 dropped:0 overruns:0 frame:0
          TX packets:231258 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6496010 (6.1 MiB)  TX bytes:72501950 (69.1 MiB)

tap021132 Link encap:Ethernet  HWaddr 22:1F:B0:1A:C6:48  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:11917628 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19614033 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2237893739 (2.0 GiB)  TX bytes:14333236286 (13.3 GiB)

ash-4.4#

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.