why do spoofed packets cause arp entries

Discussion in 'Linux Networking' started by rich_lemmerman, Aug 20, 2006.

  1. I have a process that sends spoofed packets (spoofed src address that
    is) on an interface connected to a switch. Associated with the
    interface is a specific route with the gateway being the IP address of
    the switch interface. The problem is that there is a huge number of
    incomplete arp entries, one for each spoofed src address, whose NUD
    state is incomplete or failed This results in spoofed packets to not
    be transmitted.

    However, if I create a default route and use the same interface, there
    are no such incomplete/failed entries in the arp table and packets seem
    to move on the very same interface.

    Can someone shed some light into why this is? Ideally, I would like to
    have packets to be transmitted this without needing a default route.

    Thanks - Rich L
    rich_lemmerman, Aug 20, 2006
    1. Advertisements

  2. There are so many variables here I don't think you'll get useful
    comments. Give us some examples. What do the ARP entries look like? Are
    the spoofed source addresses inside the network block assigned to the
    interface that connects to the switch? Are there replies involved from
    the switch -- and what does your machine do when it sees a reply that
    for an IP address no assigned to it? Show us to packet capures.

    David Schwartz, Aug 21, 2006
    1. Advertisements

  3. "IP address of *the* switch interface" ?
    What type of switch ?

    Other than that, yes - packet dump.

    Jeroen Geilman, Aug 21, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.