neighbor table overflow problem

Hi,

In my linux box I have error messages "neighbor table overflow" showing on
my screen. My linux box has 3 nic, and the kernel is 2.4.18.
Thanks for any help.

Jason

"Jason" <(E-Mail Removed)> wrote in message
news:chll8c$kk0$(E-Mail Removed)

> In my linux box I have error messages "neighbor table overflow"
> showing on my screen.

That mean ya better get over there pronto and help 'em eat. =B^)

--
use hotmail for email replies

Jason wrote:

> Hi,
>
> In my linux box I have error messages "neighbor table overflow" showing on
> my screen. My linux box has 3 nic, and the kernel is 2.4.18.
> Thanks for any help.
>
http://honor.trusecure.com/pipermail...ch/016260.html

might help. Actually, it's an arp table overflow (how many nodes in your
network?). Consider a kernel upgrade for security reasons as well, and
maybe arpd.

--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**Reactivate*your*MS*software.
Linux woodpecker.homnet.at 2.6.8reiser4pkt*[LinuxCounter#295241]

"Jason" <(E-Mail Removed)> wrote in message news:<chll8c$kk0$(E-Mail Removed)>...
> Hi,
>
> In my linux box I have error messages "neighbor table overflow" showing on
> my screen. My linux box has 3 nic, and the kernel is 2.4.18.
> Thanks for any help.
>
> Jason

Other than updating your distro/kernel ...? ;-)

Not much to go on but you might try some of these:

-- double check your route table entries, especially that _all_
netmask entries are correct (double check interface configs for same)

-- run $ netstat -rnc and watch the route table entries continuously
for anything that might show up as "unusual". Also try $ route -nC to
view the route cache.

-- I assume this is a routing GW/FW and is getting quite a bit of
traffic or that you have changed a number of the
/proc/sys/net/ipv4/xxx settings (more info and particulars would be
nice)

-- double check that proxy_arp is not turned on needlessly

-- your settings, etc., are pretty "normal" and your arp table is
simply not discarding old entries fast enough to make room for new
ones (normally not a problem).

For these last two you can check here for some documentation of
available settings (and recommendations):
http://lartc.org/howto/lartc.kernel....e.html#AEN1730
http://ipsysctl-tutorial.frozentux.n...tml/index.html
http://linux-ip.net/html/ether-arp.html#ether-arp-flux
and you might check these:
http://www.rstack.net/tuning_proc_for_arp.html
http://www.rstack.net/arp.html

-- check your logs!

-- double check your iptables rules (if appropriate)

-- sniff the wire (ethereal is nice, tcpdump is functional) for arp
requests

-- google: " linux + "neighbor table overflow" "
http://www.google.com/search?num=50&...22&btnG=Search

Well, as you can see there are a number of things/places where the
clue(s) may reside and without more particulars it's hard for me to
tell you where to begin. Watch your arp table, double check that
default GW routes are appropriate, read the docs for some background,
and double check some of the more likely settings.

If you _can_ narrow down the suspected source of your problems be
prepared to post your route tables ($ route -n), interface settings ($
ifconfig -a), and a detailed description of your network layout (with
ascii drawing is nice). Some output from netstat might be useful.
Which (if any) interfaces are using dhcp?

You should not normally generate so many arp requests so fast that you
overflow the arp (neighbor) table -- students have done it the lab
when playing around, but for your case ...

The arp table (cache) should mostly hold mappings for machines on the
local subnet (including the GW), so unless your subnet is >256
overflowing the arp cache usually is a sign of misconfigured network
settings. Have you added/changed anything recently? Switches can
sometimes inadvertently connect two segments. And two nics on the
same segment can sometimes raise havoc.

Not enough info to be more specific. Get back after trying out above.
Be sure to indicate what solutions you _have_ attempted.

hth,
prg
email above disabled

Thank P Gentry,

I use the tcpdump and found that my linux box kept looking for 192.168.x.y
on port 446, whcih is a Windows XP Home. To my curiousity, in my linux
box, I have drop all port 446 packets in the iptables, how come the arc
packets come so soon?

Jason


"P Gentry" <(E-Mail Removed)> ???
news:(E-Mail Removed) om ???...
> "Jason" <(E-Mail Removed)> wrote in message
news:<chll8c$kk0$(E-Mail Removed)>...
> > Hi,
> >
> > In my linux box I have error messages "neighbor table overflow" showing
on
> > my screen. My linux box has 3 nic, and the kernel is 2.4.18.
> > Thanks for any help.
> >
> > Jason
>
> Other than updating your distro/kernel ...? ;-)
>
> Not much to go on but you might try some of these:
>
> -- double check your route table entries, especially that _all_
> netmask entries are correct (double check interface configs for same)
>
> -- run $ netstat -rnc and watch the route table entries continuously
> for anything that might show up as "unusual". Also try $ route -nC to
> view the route cache.
>
> -- I assume this is a routing GW/FW and is getting quite a bit of
> traffic or that you have changed a number of the
> /proc/sys/net/ipv4/xxx settings (more info and particulars would be
> nice)
>
> -- double check that proxy_arp is not turned on needlessly
>
> -- your settings, etc., are pretty "normal" and your arp table is
> simply not discarding old entries fast enough to make room for new
> ones (normally not a problem).
>
> For these last two you can check here for some documentation of
> available settings (and recommendations):
> http://lartc.org/howto/lartc.kernel....e.html#AEN1730
> http://ipsysctl-tutorial.frozentux.n...tml/index.html
> http://linux-ip.net/html/ether-arp.html#ether-arp-flux
> and you might check these:
> http://www.rstack.net/tuning_proc_for_arp.html
> http://www.rstack.net/arp.html
>
> -- check your logs!
>
> -- double check your iptables rules (if appropriate)
>
> -- sniff the wire (ethereal is nice, tcpdump is functional) for arp
> requests
>
> -- google: " linux + "neighbor table overflow" "
>
http://www.google.com/search?num=50&...22&btnG=Search
>
> Well, as you can see there are a number of things/places where the
> clue(s) may reside and without more particulars it's hard for me to
> tell you where to begin. Watch your arp table, double check that
> default GW routes are appropriate, read the docs for some background,
> and double check some of the more likely settings.
>
> If you _can_ narrow down the suspected source of your problems be
> prepared to post your route tables ($ route -n), interface settings ($
> ifconfig -a), and a detailed description of your network layout (with
> ascii drawing is nice). Some output from netstat might be useful.
> Which (if any) interfaces are using dhcp?
>
> You should not normally generate so many arp requests so fast that you
> overflow the arp (neighbor) table -- students have done it the lab
> when playing around, but for your case ...
>
> The arp table (cache) should mostly hold mappings for machines on the
> local subnet (including the GW), so unless your subnet is >256
> overflowing the arp cache usually is a sign of misconfigured network
> settings. Have you added/changed anything recently? Switches can
> sometimes inadvertently connect two segments. And two nics on the
> same segment can sometimes raise havoc.
>
> Not enough info to be more specific. Get back after trying out above.
> Be sure to indicate what solutions you _have_ attempted.
>
> hth,
> prg
> email above disabled

"Jason" <(E-Mail Removed)> wrote in message news:<chr1rr$o99$(E-Mail Removed)>...
> Thank P Gentry,
>
> I use the tcpdump and found that my linux box kept looking for c
> on port 446, whcih is a Windows XP Home. To my curiousity, in my linux
> box, I have drop all port 446 packets in the iptables, how come the arc
> packets come so soon?
>
> Jason
>
[snip]

Are the port 446 packets coming from outside or generated from within
your lan? Port 446 is sometimes scanned by people using nmap. Can
you track down the source IP of the packets?

This is rather strange -- port 446 is a registered port of IBM's
DBM-RDA normally used with a DB2 distributed database ... ?

Google Groups did show _one_ reference to MS Money using this port,
but gave no particulars and I've never installed or used it -- barely
even looked at it on others' systems. Is 192.168.x.y a computer on
your lan?

If you have a Windows box you might want to place Zone Alarm on it to
see just what app is using port 446.

If it me I would try to find what is using that port -- it is
priviledged -- and make sure it is not something malicious.

hth,
prg
email above disabled