Repeated message in the log

[simonmason]

I keep getting this message: arp: 43:05:43:05:00:00 is multicast - just noticed it in my daily security email. I searched for documentation on this specifically but unfortunately the terms are very common and come up in a lot of things. What is going on here? Thanks.

 

[Yatti420]

It looks like that mac address is multicast or something? I don't think it's a big deal.. Is it appearing all the time in security log emails?

 

[simonmason]

So far it has only appeared in one security email - the most recent.

 

[c32767a]

If you log into the CLI and do an arp -a, does that address show up in the list?

Are you running any "interface redundancy" or "server load balancing" on the network FreeNAS is connected to?
If you are, it's possible whatever implantation you have is using a multicast address to "float" an IP address between multiple devices' ethernet cards. Microsoft NLB has a mode that can do that and there's at least one routing platform that can do device redundancy that way.

Whatever the case, the kernel is complaining because sending IP packets to a multicast MAC address means that any other client on the local ethernet network can watch the traffic if it joins the multicast group. Depending on your risk profile and tolerance, that might be a security issue. :)

 

[simonmason]

Thanks, the address does not show up when I issue an arp -a. I also ran another IP scan and don't see this MAC address. It showed up again in the email again this morning. This is a home network - very little going on - certainly no load balancing or anything like that! I use an Edgemax Edgerouter Lite but I am not doing anything special with that. It is curious.

 

[c32767a]

Does the message have a timestamp? Does it happen about the same time every day? If you're confident you know all the devices on your network and you're not seeing any problems, you can probably ignore it. Otherwise, my next step to try to find it would be to use tcpdump like this:

tcpdump -i XXX ether host 43:05:43:05:00:00

replace XXX with your ethernet card's label (e.g. eth1) and let it run. Eventually you should see some traffic reported the next time the device talks to the NAS.
That would hopefully give you the IP it's using, which would help you narrow down the problem device.

 

[simonmason]

I am running the monitor command and it is showing nothing - yet the message is showing in the log within the FreeNAS GUI. Weird?
May 8 08:00:09 freenas kernel: arp: 43:05:43:05:00:00 is multicast
May 8 08:00:49 freenas last message repeated 16 times
May 8 08:02:50 freenas last message repeated 48 times
May 8 08:05:20 freenas last message repeated 63 times

 

[c32767a]

Do you have more than 1 active network interface?

Let's try looking a different way, try this tcpdump:

tcpdump -e -n -v | grep 43:05:43:05:00:00

 

[simonmason]

Bingo - came up immediately and repeatedly. Not sure what to do with this information as I was expecting an IP address to lookup?

21:25:26.147275 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00, length 46

 

[c32767a]

Bingo - came up immediately and repeatedly. Not sure what to do with this information as I was expecting an IP address to lookup?

21:25:26.147275 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00, length 46

can you post some of the output with the mac addresses anonymized? or PM it to me?

 

[simonmason]

Sorry, I thought I did paste it:

23:27:30.792295 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l
ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00,
length 46
23:27:40.814776 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l
ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00,
length 46
23:27:50.830426 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l
ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00,
length 46
23:28:00.859446 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l
ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00,
length 46
23:28:10.877778 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l
ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00,
length 46
23:28:20.890439 ac:86:74:14:1e:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l
ength 60: Ethernet (len 6), IPv4 (len 4), Reply 0.0.0.0 is-at 43:05:43:05:00:00,
length 46

 

[c32767a]

Find the device on your network with a MAC address of ac:86:74:14:1e:1f and either turn it off or fix it's network configuration. You really don't want things advertising themselves as destinations for 0.0.0.0.

ac:86:74 is registered with the IEEE to OpenMesh. Do you have an OpenMesh access point on your network?
If not, is your network secure, particularly your wireless network?

 

[c32767a]

I did a little digging and here's what I found:

http://www.open-mesh.org/projects/batman-adv/wiki/Bridge-loop-avoidance-Protocol

Somewhere on your network is an OpenMesh device, or something with similar functionality which is sending gratuitous arp frames with 0.0.0.0 in the IP address field.

Quoting from that site:

Note:
Although this is a misuse of ARP packets, the "normal" ARP process should not be disturbed as the IP addresses
(0.0.0.0) should not be in any sane ARP table. As far as I understand, a gratuitous ARP should only be considered if the
IP address is already in an ARP table [2].



It looks like the kernel message is actually just advising you that the kernel ignored the "misused" ARP packets. So it's probably harmless from the NAS's point of view, but may or may not indicate some sort of problem elsewhere on your network.

 

[simonmason]

I do indeed have an OpenMesh wifi router. I use it to provide solid wifi support throughout the house with it's repeater. Based on the information contained in the site you provided, I am inclined to ignore this for now. Thanks for your support!