Bug 136023

Summary: "ARP: ... moved" log line incomplete
Product: Base System Reporter: arnt
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description arnt 2009-06-25 10:20:01 UTC 
When an ARP table entry changes, the kernel logs a line like this (IP addresses and blah kept unchanged):
arp: 195.30.37.40 moved from 00:00:24:c0:0e:29 to 00:16:6f:bb:37:8d on nfe0

The log line is based on a packet like this (as reported by tcpdump):
10:50:29.888674 00:16:6f:bb:37:8d > 00:19:66:2a:83:bc, ethertype ARP (0x0806), length 60: arp reply 195.30.37.40 is-at 00:16:6f:bb:37:8d

However, the log line does not log one important piece of information: Who sent the ARP reply (00:16:6f:bb:37:8d in this case). IMO it should be something like

arp: 195.30.37.40 moved from 00:00:24:c0:0e:29 to 00:16:6f:bb:37:8d on nfe0 based on ARP reply from 00:16:6f:bb:37:8d.

How-To-Repeat: Needs three hosts, all on the same ethernet. On A, set up proxy arp for B, pointing to a nonexistent ARP device. On C, ping B.

C will log "ARP: ... moved..." and may or may not be able to send ping replies to B. The log line will not indicate that A is the source of the problem.
Comment 1 Remko Lodder freebsd_committer freebsd_triage 2009-06-25 14:58:50 UTC 
State Changed
From-To: open->closed

There are tools available that monitor more advanced ARP things. I 
believe that ARP currently is implemented right as it is. The 
information you are requesting is too much overhead. Thanks for making 
FreeBSD better!