From nobody@FreeBSD.org  Thu Jun 25 09:13:31 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A4C571065672
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Jun 2009 09:13:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 92CFF8FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Jun 2009 09:13:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n5P9DUhq064730
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Jun 2009 09:13:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n5P9DUsX064729;
	Thu, 25 Jun 2009 09:13:30 GMT
	(envelope-from nobody)
Message-Id: <200906250913.n5P9DUsX064729@www.freebsd.org>
Date: Thu, 25 Jun 2009 09:13:30 GMT
From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
To: freebsd-gnats-submit@FreeBSD.org
Subject: "ARP: ... moved" log line incomplete
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         136023
>Category:       kern
>Synopsis:       "ARP: ... moved" log line incomplete
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 25 09:20:01 UTC 2009
>Closed-Date:    Thu Jun 25 13:58:51 UTC 2009
>Last-Modified:  Thu Jun 25 13:58:51 UTC 2009
>Originator:     Arnt Gulbrandsen
>Release:        7.1
>Organization:
>Environment:
FreeBSD kalyani.oryx.com 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 08:58:24 UTC 2009    root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
When an ARP table entry changes, the kernel logs a line like this (IP addresses and blah kept unchanged):
arp: 195.30.37.40 moved from 00:00:24:c0:0e:29 to 00:16:6f:bb:37:8d on nfe0

The log line is based on a packet like this (as reported by tcpdump):
10:50:29.888674 00:16:6f:bb:37:8d > 00:19:66:2a:83:bc, ethertype ARP (0x0806), length 60: arp reply 195.30.37.40 is-at 00:16:6f:bb:37:8d

However, the log line does not log one important piece of information: Who sent the ARP reply (00:16:6f:bb:37:8d in this case). IMO it should be something like

arp: 195.30.37.40 moved from 00:00:24:c0:0e:29 to 00:16:6f:bb:37:8d on nfe0 based on ARP reply from 00:16:6f:bb:37:8d.

>How-To-Repeat:
Needs three hosts, all on the same ethernet. On A, set up proxy arp for B, pointing to a nonexistent ARP device. On C, ping B.

C will log "ARP: ... moved..." and may or may not be able to send ping replies to B. The log line will not indicate that A is the source of the problem.
>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Thu Jun 25 13:58:50 UTC 2009 
State-Changed-Why:  
There are tools available that monitor more advanced ARP things. I 
believe that ARP currently is implemented right as it is. The 
information you are requesting is too much overhead. Thanks for making 
FreeBSD better! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136023 
>Unformatted:
