≡ Menu

arp table

Linux: Neighbour Table Overflow Error and Solution

I setup a CentOS Linux based Linux server running as a gateway and firewall server. However, I'm getting the following messages in the /var/log/messages log file:

Dec 20 00:41:01 fw01 kernel: Neighbour table overflow.
Dec 20 00:41:01 fw01 last message repeated 20 times

OR


Dec 20 00:41:01 fw03 kernel: [ 8987.821184] Neighbour table overflow.
Dec 20 00:41:01 fw03 kernel: [ 8987.860465] printk: 100 messages suppressed.

Why does kernel throw "Neighbour table overflow" messages in syslog? How do I fix this problem under Debian / CentOS / RHEL / Fedora / Ubuntu Linux?
[click to continue…]

How to: Detect ARP Spoofing under UNIX or Linux

Q. I would like to know - how do I detect ARP spoofing? I am using Debian Linux.

A. Use arpwatch command to keeps track for ethernet/ip address pairings. It logs message or activity to syslogs and reports certain changes via email.

Arpwatch uses pcap to listen for arp packets on a local ethernet interface.

Install arpwatch

Use apt-get command under Debian / Ubuntu Linux:
# apt-get install arpwatch
OR
$ sudo apt-get install arpwatch

arpwatch command examples

You can watch particular interface with command:
# arpwatch -i eth0

You will notice syslog entries as follows /var/log/syslog file (or /var/log/message file) when changes are made i.e MAC/IP address pair is changed:
# tail -f /var/log/syslogOutput:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0

Above entry displays new workstation. If changes are made you should see something as follows:

Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6
(0:17:9a:a:f6:44)

You can also use arp -a command to display current ARP table:
$ arp -a