On Mon, 29 Dec 2014 03:44:48 +0000, "Stephen R. Carter" said:
Here is a small excerpt I am seeing.
06:04:04.760869 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 97.85.59.219 tell 97.85.58.1 06:04:04.761950 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 75.135.155.27 tell 75.135.152.1
The interesting thing is that they're all .1 addresses. It's almost as if the one broadcast domain has at least 7 different address spaces on it. I've long seen similar in Comcast country. My CPE router has an upstream interface: ge00 Link encap:Ethernet HWaddr 10:0D:7F:64:CA:0C inet addr:73.171.123.11 Bcast:73.171.123.255 Mask:255.255.254.0 but yet I see a continual background flux of 6-8 arp requests a second, mostly from what appear to be routers for other subnets: # cpdump -i ge00 -n arp -c 2000 | awk '{print $7}' | sort | uniq -c tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge00, link-type EN10MB (Ethernet), capture size 65535 bytes 2000 packets captured 2012 packets received by filter 0 packets dropped by kernel 38 100.93.216.1, 16 184.121.18.1, 18 184.126.32.1, 36 24.127.42.1, 34 24.127.50.1, 20 24.131.5.1, 18 50.134.17.1, 17 50.134.55.1, 37 50.134.64.1, 91 50.218.88.1, 142 50.220.88.1, 298 71.197.0.1, 183 71.62.120.1, 81 71.63.61.1, 167 73.171.122.1, (my putative upstream router) 1 73.171.123.11, (my box timed out its arp entry for upstream) 131 73.171.77.1, 511 73.31.150.1, 157 73.31.41.1, 3 96.120.18.205, I've annotated the 2 lines I *expected* to see... The other odd part is that of 20 sources, only 7 appear to have PTR entries.... When I first noticed this and mentioned it to somebody, they responded "Forget it, Jake. It's Chinatown".