Why do I have these arp cache entries, for addresses way outside my network?Why do I have so many IPV6 addresses for a single ethernet cardHow to create permanent ip alias belonging to different subnets in CentosWhy is my IP resolved to 127.0.0.1 instead of the IP I have in the network?no arp entries for vnetWhy does arp -a only show some machines on my network?linux/unix command for checking the outside/inside network connectionsLinux: outbound IP to my subnet do not appear in tcpdump and do not appear to be sentDebian8 server : Can't resolve IP adresses or DNSHow to talk with IP camera through ethernet directly (no switch, hub, routers…). Different subnets in camera and ethernet's portNMAP network scan shows IP-addresses and MAC addresses of items that are then missing from a subsequent arp-cache dump?
XeLaTeX and pdfLaTeX ignore hyphenation
What is the logic behind how bash tests for true/false?
What is the meaning of "of trouble" in the following sentence?
How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)
least quadratic residue under GRH: an EXPLICIT bound
I see my dog run
Where to refill my bottle in India?
Why is an old chain unsafe?
Why is the design of haulage companies so “special”?
Non-Jewish family in an Orthodox Jewish Wedding
How to determine if window is maximised or minimised from bash script
Email Account under attack (really) - anything I can do?
Why does not dark matter gather and form celestial bodies?
Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?
Is it possible to make sharp wind that can cut stuff from afar?
Are white and non-white police officers equally likely to kill black suspects?
How can the DM most effectively choose 1 out of an odd number of players to be targeted by an attack or effect?
N.B. ligature in Latex
cryptic clue: mammal sounds like relative consumer (8)
Is there a familial term for apples and pears?
What does "enim et" mean?
Patience, young "Padovan"
A function which translates a sentence to title-case
Can a German sentence have two subjects?
Why do I have these arp cache entries, for addresses way outside my network?
Why do I have so many IPV6 addresses for a single ethernet cardHow to create permanent ip alias belonging to different subnets in CentosWhy is my IP resolved to 127.0.0.1 instead of the IP I have in the network?no arp entries for vnetWhy does arp -a only show some machines on my network?linux/unix command for checking the outside/inside network connectionsLinux: outbound IP to my subnet do not appear in tcpdump and do not appear to be sentDebian8 server : Can't resolve IP adresses or DNSHow to talk with IP camera through ethernet directly (no switch, hub, routers…). Different subnets in camera and ethernet's portNMAP network scan shows IP-addresses and MAC addresses of items that are then missing from a subsequent arp-cache dump?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$ ip -4 neigh show dev eno1
209.132.181.16 FAILED
152.19.134.142 FAILED
85.236.55.6 FAILED
152.19.134.198 FAILED
8.43.85.67 FAILED
140.211.169.206 FAILED
How could these weird ip neighbour (ARP) entries be appearing on my Ethernet interface?
eno1
is an Ethernet interface. It is not currently connected. Based on journalctl -b | grep eno1
, I do not think I have connected it at all during this boot! I do not use a static IP. I have not changed my IP settings manually during this boot. The network settings are all managed by NetworkManager. I have connected only to my home networks, which use addresses in the private range 172.16.0.0 - 172.31.255.255 only.
For example on my current wireless connection, I see that my address is 172.16.8.139/24. That says the network prefix is 24 bits, and so ARP resolution should be limited to the range 172.16.8.0 - 172.16.8.255.
$ ip -4 addr show dev wlp2s0
4: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 172.16.8.139/24 brd 172.16.8.255 scope global dynamic noprefixroute wlp2s0
valid_lft 39441sec preferred_lft 39441sec
$ ip -4 neigh show dev wlp2s0
172.16.8.1 lladdr 74:44:01:86:42:d6 REACHABLE
$ lsb_release -d
Description: Fedora release 29 (Twenty Nine)
$ rpm -q NetworkManager dhcp-client
NetworkManager-1.12.6-5.fc29.x86_64
dhcp-client-4.3.6-28.fc29.x86_64
My router is OpenWRT 18.06.1, so the DHCP server is dnsmasq
.
networking fedora arp
add a comment |
$ ip -4 neigh show dev eno1
209.132.181.16 FAILED
152.19.134.142 FAILED
85.236.55.6 FAILED
152.19.134.198 FAILED
8.43.85.67 FAILED
140.211.169.206 FAILED
How could these weird ip neighbour (ARP) entries be appearing on my Ethernet interface?
eno1
is an Ethernet interface. It is not currently connected. Based on journalctl -b | grep eno1
, I do not think I have connected it at all during this boot! I do not use a static IP. I have not changed my IP settings manually during this boot. The network settings are all managed by NetworkManager. I have connected only to my home networks, which use addresses in the private range 172.16.0.0 - 172.31.255.255 only.
For example on my current wireless connection, I see that my address is 172.16.8.139/24. That says the network prefix is 24 bits, and so ARP resolution should be limited to the range 172.16.8.0 - 172.16.8.255.
$ ip -4 addr show dev wlp2s0
4: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 172.16.8.139/24 brd 172.16.8.255 scope global dynamic noprefixroute wlp2s0
valid_lft 39441sec preferred_lft 39441sec
$ ip -4 neigh show dev wlp2s0
172.16.8.1 lladdr 74:44:01:86:42:d6 REACHABLE
$ lsb_release -d
Description: Fedora release 29 (Twenty Nine)
$ rpm -q NetworkManager dhcp-client
NetworkManager-1.12.6-5.fc29.x86_64
dhcp-client-4.3.6-28.fc29.x86_64
My router is OpenWRT 18.06.1, so the DHCP server is dnsmasq
.
networking fedora arp
add a comment |
$ ip -4 neigh show dev eno1
209.132.181.16 FAILED
152.19.134.142 FAILED
85.236.55.6 FAILED
152.19.134.198 FAILED
8.43.85.67 FAILED
140.211.169.206 FAILED
How could these weird ip neighbour (ARP) entries be appearing on my Ethernet interface?
eno1
is an Ethernet interface. It is not currently connected. Based on journalctl -b | grep eno1
, I do not think I have connected it at all during this boot! I do not use a static IP. I have not changed my IP settings manually during this boot. The network settings are all managed by NetworkManager. I have connected only to my home networks, which use addresses in the private range 172.16.0.0 - 172.31.255.255 only.
For example on my current wireless connection, I see that my address is 172.16.8.139/24. That says the network prefix is 24 bits, and so ARP resolution should be limited to the range 172.16.8.0 - 172.16.8.255.
$ ip -4 addr show dev wlp2s0
4: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 172.16.8.139/24 brd 172.16.8.255 scope global dynamic noprefixroute wlp2s0
valid_lft 39441sec preferred_lft 39441sec
$ ip -4 neigh show dev wlp2s0
172.16.8.1 lladdr 74:44:01:86:42:d6 REACHABLE
$ lsb_release -d
Description: Fedora release 29 (Twenty Nine)
$ rpm -q NetworkManager dhcp-client
NetworkManager-1.12.6-5.fc29.x86_64
dhcp-client-4.3.6-28.fc29.x86_64
My router is OpenWRT 18.06.1, so the DHCP server is dnsmasq
.
networking fedora arp
$ ip -4 neigh show dev eno1
209.132.181.16 FAILED
152.19.134.142 FAILED
85.236.55.6 FAILED
152.19.134.198 FAILED
8.43.85.67 FAILED
140.211.169.206 FAILED
How could these weird ip neighbour (ARP) entries be appearing on my Ethernet interface?
eno1
is an Ethernet interface. It is not currently connected. Based on journalctl -b | grep eno1
, I do not think I have connected it at all during this boot! I do not use a static IP. I have not changed my IP settings manually during this boot. The network settings are all managed by NetworkManager. I have connected only to my home networks, which use addresses in the private range 172.16.0.0 - 172.31.255.255 only.
For example on my current wireless connection, I see that my address is 172.16.8.139/24. That says the network prefix is 24 bits, and so ARP resolution should be limited to the range 172.16.8.0 - 172.16.8.255.
$ ip -4 addr show dev wlp2s0
4: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 172.16.8.139/24 brd 172.16.8.255 scope global dynamic noprefixroute wlp2s0
valid_lft 39441sec preferred_lft 39441sec
$ ip -4 neigh show dev wlp2s0
172.16.8.1 lladdr 74:44:01:86:42:d6 REACHABLE
$ lsb_release -d
Description: Fedora release 29 (Twenty Nine)
$ rpm -q NetworkManager dhcp-client
NetworkManager-1.12.6-5.fc29.x86_64
dhcp-client-4.3.6-28.fc29.x86_64
My router is OpenWRT 18.06.1, so the DHCP server is dnsmasq
.
networking fedora arp
networking fedora arp
edited Feb 6 at 17:32
sourcejedi
asked Feb 6 at 17:15
sourcejedisourcejedi
25.7k445113
25.7k445113
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
What are the "neighbours" called? - my first idea.
$ ip -r -4 neigh show dev eno1
proxy01.fedoraproject.org FAILED
vm3.fedora.ibiblio.org FAILED
6-55-236-85.rev.customer-net.de FAILED
vm18.fedora.ibiblio.org FAILED
proxy13-rdu02.fedoraproject.org FAILED
proxy14.fedoraproject.org FAILED
proxy09.fedoraproject.org FAILED
It is trying to connect to a Fedora-specific service. I.e. the system uses some network service. Fedora is providing it. (And/or ibiblio.org are donating service to Fedora, using a specific host name, etc.) These hosts are most likely primarily providing some Web service (HTTP / HTTPS). "proxy" in a hostname tends to mean some form of Web proxy, and these can be used as a front end for various reasons e.g. caching or load balancing.
Why would I see such out-of-range ARP entries? - the biggest question.
I found the answer on StackOverflow: Why ARP requests a non-local address?
When one interface has no addresses/routes at all, but you explicitly tell Linux to transmit using it, Linux will assume your target address is on-link.[*] There is a comment about this feature in the kernel source code. Here is a clear example:
$ sudo traceroute --udp -i eno1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
^C
$ ip neigh show dev eno1 | grep 8.8.8.8
8.8.8.8 INCOMPLETE
I expect I am seeing these attempted connections due to NetworkManager. I don't have any other software which is likely to try to contact a Web service using a specific interface. (Note that this operation requires privilege. In the example above, I had to use sudo
to run traceroute through a specific interface).
NetworkManager uses a web service to check internet connectivity, and to detect captive portals. This is mentioned in the CONNECTIVITY section of man NetworkManager.conf
.
It looks like NetworkManager has been checking this interface, despite knowing there is no connection on it :-).
[*] This means the sender IP address in the ARP packet, is taken from a different interface :-). Or if I shut down my other interfaces (WiFi and virbr0
), the ARP request uses 0.0.0.0 as the source address :-). I tested this using tcpdump
, and a second computer connected directly with an ethernet cable.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499111%2fwhy-do-i-have-these-arp-cache-entries-for-addresses-way-outside-my-network%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
What are the "neighbours" called? - my first idea.
$ ip -r -4 neigh show dev eno1
proxy01.fedoraproject.org FAILED
vm3.fedora.ibiblio.org FAILED
6-55-236-85.rev.customer-net.de FAILED
vm18.fedora.ibiblio.org FAILED
proxy13-rdu02.fedoraproject.org FAILED
proxy14.fedoraproject.org FAILED
proxy09.fedoraproject.org FAILED
It is trying to connect to a Fedora-specific service. I.e. the system uses some network service. Fedora is providing it. (And/or ibiblio.org are donating service to Fedora, using a specific host name, etc.) These hosts are most likely primarily providing some Web service (HTTP / HTTPS). "proxy" in a hostname tends to mean some form of Web proxy, and these can be used as a front end for various reasons e.g. caching or load balancing.
Why would I see such out-of-range ARP entries? - the biggest question.
I found the answer on StackOverflow: Why ARP requests a non-local address?
When one interface has no addresses/routes at all, but you explicitly tell Linux to transmit using it, Linux will assume your target address is on-link.[*] There is a comment about this feature in the kernel source code. Here is a clear example:
$ sudo traceroute --udp -i eno1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
^C
$ ip neigh show dev eno1 | grep 8.8.8.8
8.8.8.8 INCOMPLETE
I expect I am seeing these attempted connections due to NetworkManager. I don't have any other software which is likely to try to contact a Web service using a specific interface. (Note that this operation requires privilege. In the example above, I had to use sudo
to run traceroute through a specific interface).
NetworkManager uses a web service to check internet connectivity, and to detect captive portals. This is mentioned in the CONNECTIVITY section of man NetworkManager.conf
.
It looks like NetworkManager has been checking this interface, despite knowing there is no connection on it :-).
[*] This means the sender IP address in the ARP packet, is taken from a different interface :-). Or if I shut down my other interfaces (WiFi and virbr0
), the ARP request uses 0.0.0.0 as the source address :-). I tested this using tcpdump
, and a second computer connected directly with an ethernet cable.
add a comment |
What are the "neighbours" called? - my first idea.
$ ip -r -4 neigh show dev eno1
proxy01.fedoraproject.org FAILED
vm3.fedora.ibiblio.org FAILED
6-55-236-85.rev.customer-net.de FAILED
vm18.fedora.ibiblio.org FAILED
proxy13-rdu02.fedoraproject.org FAILED
proxy14.fedoraproject.org FAILED
proxy09.fedoraproject.org FAILED
It is trying to connect to a Fedora-specific service. I.e. the system uses some network service. Fedora is providing it. (And/or ibiblio.org are donating service to Fedora, using a specific host name, etc.) These hosts are most likely primarily providing some Web service (HTTP / HTTPS). "proxy" in a hostname tends to mean some form of Web proxy, and these can be used as a front end for various reasons e.g. caching or load balancing.
Why would I see such out-of-range ARP entries? - the biggest question.
I found the answer on StackOverflow: Why ARP requests a non-local address?
When one interface has no addresses/routes at all, but you explicitly tell Linux to transmit using it, Linux will assume your target address is on-link.[*] There is a comment about this feature in the kernel source code. Here is a clear example:
$ sudo traceroute --udp -i eno1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
^C
$ ip neigh show dev eno1 | grep 8.8.8.8
8.8.8.8 INCOMPLETE
I expect I am seeing these attempted connections due to NetworkManager. I don't have any other software which is likely to try to contact a Web service using a specific interface. (Note that this operation requires privilege. In the example above, I had to use sudo
to run traceroute through a specific interface).
NetworkManager uses a web service to check internet connectivity, and to detect captive portals. This is mentioned in the CONNECTIVITY section of man NetworkManager.conf
.
It looks like NetworkManager has been checking this interface, despite knowing there is no connection on it :-).
[*] This means the sender IP address in the ARP packet, is taken from a different interface :-). Or if I shut down my other interfaces (WiFi and virbr0
), the ARP request uses 0.0.0.0 as the source address :-). I tested this using tcpdump
, and a second computer connected directly with an ethernet cable.
add a comment |
What are the "neighbours" called? - my first idea.
$ ip -r -4 neigh show dev eno1
proxy01.fedoraproject.org FAILED
vm3.fedora.ibiblio.org FAILED
6-55-236-85.rev.customer-net.de FAILED
vm18.fedora.ibiblio.org FAILED
proxy13-rdu02.fedoraproject.org FAILED
proxy14.fedoraproject.org FAILED
proxy09.fedoraproject.org FAILED
It is trying to connect to a Fedora-specific service. I.e. the system uses some network service. Fedora is providing it. (And/or ibiblio.org are donating service to Fedora, using a specific host name, etc.) These hosts are most likely primarily providing some Web service (HTTP / HTTPS). "proxy" in a hostname tends to mean some form of Web proxy, and these can be used as a front end for various reasons e.g. caching or load balancing.
Why would I see such out-of-range ARP entries? - the biggest question.
I found the answer on StackOverflow: Why ARP requests a non-local address?
When one interface has no addresses/routes at all, but you explicitly tell Linux to transmit using it, Linux will assume your target address is on-link.[*] There is a comment about this feature in the kernel source code. Here is a clear example:
$ sudo traceroute --udp -i eno1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
^C
$ ip neigh show dev eno1 | grep 8.8.8.8
8.8.8.8 INCOMPLETE
I expect I am seeing these attempted connections due to NetworkManager. I don't have any other software which is likely to try to contact a Web service using a specific interface. (Note that this operation requires privilege. In the example above, I had to use sudo
to run traceroute through a specific interface).
NetworkManager uses a web service to check internet connectivity, and to detect captive portals. This is mentioned in the CONNECTIVITY section of man NetworkManager.conf
.
It looks like NetworkManager has been checking this interface, despite knowing there is no connection on it :-).
[*] This means the sender IP address in the ARP packet, is taken from a different interface :-). Or if I shut down my other interfaces (WiFi and virbr0
), the ARP request uses 0.0.0.0 as the source address :-). I tested this using tcpdump
, and a second computer connected directly with an ethernet cable.
What are the "neighbours" called? - my first idea.
$ ip -r -4 neigh show dev eno1
proxy01.fedoraproject.org FAILED
vm3.fedora.ibiblio.org FAILED
6-55-236-85.rev.customer-net.de FAILED
vm18.fedora.ibiblio.org FAILED
proxy13-rdu02.fedoraproject.org FAILED
proxy14.fedoraproject.org FAILED
proxy09.fedoraproject.org FAILED
It is trying to connect to a Fedora-specific service. I.e. the system uses some network service. Fedora is providing it. (And/or ibiblio.org are donating service to Fedora, using a specific host name, etc.) These hosts are most likely primarily providing some Web service (HTTP / HTTPS). "proxy" in a hostname tends to mean some form of Web proxy, and these can be used as a front end for various reasons e.g. caching or load balancing.
Why would I see such out-of-range ARP entries? - the biggest question.
I found the answer on StackOverflow: Why ARP requests a non-local address?
When one interface has no addresses/routes at all, but you explicitly tell Linux to transmit using it, Linux will assume your target address is on-link.[*] There is a comment about this feature in the kernel source code. Here is a clear example:
$ sudo traceroute --udp -i eno1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
^C
$ ip neigh show dev eno1 | grep 8.8.8.8
8.8.8.8 INCOMPLETE
I expect I am seeing these attempted connections due to NetworkManager. I don't have any other software which is likely to try to contact a Web service using a specific interface. (Note that this operation requires privilege. In the example above, I had to use sudo
to run traceroute through a specific interface).
NetworkManager uses a web service to check internet connectivity, and to detect captive portals. This is mentioned in the CONNECTIVITY section of man NetworkManager.conf
.
It looks like NetworkManager has been checking this interface, despite knowing there is no connection on it :-).
[*] This means the sender IP address in the ARP packet, is taken from a different interface :-). Or if I shut down my other interfaces (WiFi and virbr0
), the ARP request uses 0.0.0.0 as the source address :-). I tested this using tcpdump
, and a second computer connected directly with an ethernet cable.
edited Mar 27 at 18:11
answered Feb 6 at 17:15
sourcejedisourcejedi
25.7k445113
25.7k445113
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499111%2fwhy-do-i-have-these-arp-cache-entries-for-addresses-way-outside-my-network%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-arp, fedora, networking