Operating System - HP-UX
1748047 Members
4962 Online
108757 Solutions
New Discussion юеВ

How do I find out what process is sending ARP requests

 
David Lockwood
Advisor

How do I find out what process is sending ARP requests

I have an HPUX 11.11 system, built from an Ignite/UX image, that is sending a broadcast asking for an IP Address that does not exist on our network. This request is being sent every 2 seconds, it starts as soon as the machine is booted and happens even when nobody has logged in. How can I find out where this is coming from?
10 REPLIES 10
Steven E. Protter
Exalted Contributor

Re: How do I find out what process is sending ARP requests

Shalom,

You should be able to identify the process with lsof.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.77/

You are sometimes better off compiling it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
David Lockwood
Advisor

Re: How do I find out what process is sending ARP requests

Thanks for that but it doesn't show any arp. We are seeing on the ethereal tool on a PC many "Broadcast ARP Whos has nnn.nnn.nnn.nnn?" requests from the Workstation, we see 6 of these requests every 5 seconds, lsof doesn't show any arp processes. Is there anything else I can look at?
Hemmetter
Esteemed Contributor

Re: How do I find out what process is sending ARP requests

Hi david,

Since that arp-request is not answered, there will be no connection you can see with lsof.

You may try to fake an arp-entry for that adress by
$ arp -s nn.nn.nn.nn ee:ee:ee:ee:ee:ee

Then you should be able to tcpdump the connection. Then you see the type of traffic and derive the source process.

rgds
HGH



rick jones
Honored Contributor

Re: How do I find out what process is sending ARP requests

The idea of the fake ARP entry is quite clever. It will at least get a source IP. It may or may not get a source port, or TCP connection since all we know is that _something_ on the server is trying to contact that IP. Could be using TCP, could be using UDP, could be trying to send an ICMP Echo Request (ping).

Perhaps there is some old cruft in the SNMP agent/server stuff and the system is trying to reconnect?

What sort of applications are loaded on the system?

You could in theory walk through all the processes taking tusc traces and looking to see which of them make socket calls associated with the mystery IP address.
there is no rest for the wicked yet the virtuous have no pillows
Tim Nelson
Honored Contributor

Re: How do I find out what process is sending ARP requests

A lamer idea would be to start in run level-1 user and manually execute each startup script until you see the arps on the network.

rick jones
Honored Contributor

Re: How do I find out what process is sending ARP requests

Actually Tim, that idea is far from lame. It is probably one of the better, more direct debugging ideas for the problem.
there is no rest for the wicked yet the virtuous have no pillows
David Lockwood
Advisor

Re: How do I find out what process is sending ARP requests

Thanks for the ideas, I have added the mystery IP address to our network and the ARPs have stopped! Not really a suprise I suppose. I will remove it again and try the manual startup from init level 1.

Thanks again.
rick jones
Honored Contributor

Re: How do I find out what process is sending ARP requests

Once the ARPs stopped, did you start to see IP datagrams being sent by that system to that IP? What did they look like?

(starting the tcpdump trace before setting the ARP entry would be best)
there is no rest for the wicked yet the virtuous have no pillows
David Lockwood
Advisor

Re: How do I find out what process is sending ARP requests

Update. I have started the system at init level 1 and run through the startup process manually. We found that it is the NFS Client starting that causes the ARP requests to the non existant IP Address, all I need to find out now is why? The IP Address was the one used to create the Golden Image used for ignite/ux builds. We use NFS v3 and the new automount process, I can find no reference to this address or machine name in any of our NFS configuration files. Any ideas?

Thanks