ARP requests on my net?

[Guy Fraser]

On Tue, 2006-04-04 at 19:13 -0500, Mike McCarty wrote:
> I've been watching my LAN using tcpdump, and noticed
> that ARP is running repeatedly on my FC2 machine, and
> wonder why.
> 
> ...
> 18:33:05.599443 arp who-has router tell 172.17.205.79
> 18:33:05.599732 arp reply router is-at 00:11:95:0b:cc:28
> ...
> 18:42:18.288434 arp who-has router tell 172.17.205.79
> 18:42:18.288741 arp reply router is-at 00:11:95:0b:cc:28
> ...
> 18:44:07.780777 arp who-has router tell 172.17.205.79
> 18:44:07.781074 arp reply router is-at 00:11:95:0b:cc:28
> ...
> 18:47:29.454130 arp who-has router tell 172.17.205.79
> 18:47:29.454434 arp reply router is-at 00:11:95:0b:cc:28
> ...
> 18:58:19.513302 arp who-has router tell 172.17.205.79
> 18:58:19.513610 arp reply router is-at 00:11:95:0b:cc:28
> ...
> 19:04:58.257698 arp who-has router tell 172.17.205.79
> 19:04:58.257988 arp reply router is-at 00:11:95:0b:cc:28
> 
> 172.17.205.79 is my FC2 machine. I have an entry in
> /etc/hosts for router, along with an entry for dslmodem.
> But dslmodem doesn't get queried. In any case, I don't
> know why it is querying my router to find its MAC
> address? Why should it care?
> 
You almost had me for a moment.

I always use the "-n" flag so I could not figure out what 
"router", was supposed to be. ARP does not use hostnames 
but tcpdump will resolve the host name for you.

I am going to guess that "host router" will give you the IP 
address that 172.17.205.79 is looking for.

To get a clearer idea of what is going on use :
/usr/sbin/tcpdump -nvv host 172.17.205.79

This will give some verbose information about what 
172.17.205.79 is doing, and it will NOT resolve host names 
which can make things clearer.