Thanks for the following people who replied, Eliezer Ramm Darren Dunham Gerald Combs Thomas M. Payerle Original Post of Question =========================== > I use snoop to monitor my network and find there are many request "ARP C Who > is 192.168.1.102", but actualy 192.168.1.102 is old machine and I removed it > one year ago. I tried to find any configuration which still has > 192.168.1.102 but found nothing. So is there any way to find which process > generate these requests, and then I can easily find why it continues to > generate the requests. Summary ======= ARP is not generated by application, but system. So probably no way to find which process is related to an ARP request. Some people think it is caused by ARP cache and suggust to check(and change) kernel setting. # ndd -set /dev/arp arp_cleanup_interval <time> # ndd -set /dev/ip ip_ire_cleanup_interval <time> or check /var/statmon/sm for an entry for the stray IP. But this problem seems not be caused by cache (cache won't last as long as 1 year, I didn't see any exception there. So some other people suggest a trick to analyze this issue, > Grab a machine (*not* this one) and bring up that address as a > virtual address (or the only one if it's a throwaway). > Then you can actually have the ARP answered, and you can snoop for > the next packet which should have a TCP/UDP port and give you more > information about it... This is really good trick. But after I did that and use snoop for that IP address, i got nothing. Probably because the sender computers don't send request to that IP address any more after it know who it is and has no required service. To some extent, my problem is solved, because the computers won't send so many ARP requests now. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Sep 25 17:21:59 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:20 EST