Try nast, there is a module for testing MAC-Spoofing.
Sounds like someone on the internal net spoofs Ethernetaddresses.
MAC-Spoofing has the following disadvantage:
If your network has been spoofed everyone on every segment can sniff the net
(across all segments) a nice trick to gather information. If it kills
functionality of your network you have to restart everything (switches,
machines), because the switches and NICs store Ethernetaddresses in their
cache :-(
NAST you get here:
http://nast.berlios.de/
You need the following:
libnet
libpcap
pthread support
libncurses
Use the source and compile it on you machine.
The output shows you it something is missing and where to get it.
Use <Shift> + <Key> for navigating through the menu if you start with:
"nast -G".
Philippe
----- Original Message -----
From: "Bob Vickers"
Peter,
I have encountered this problem when (for example) scanning the local network; possibly it could also indicate an intruder doing some port scanning. I did some googling which showed that the neighbour table is used by the kernel to contain ARP addresses, though I didn't manage to find out exactly what the consequences are when it fills up. Anyway you can increase its size which makes it less likely to fill up. I put the following lines in /etc/init.d/boot.local
# Double the size of the ARP cache area to avoid "Neighbour table overflow" # messages (defaults are 128, 512, 1024). echo 256 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
Bob
On Tue, 23 Mar 2004, Peter Nixon wrote:
Does anyone have any idea as to the following?
Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here