A strange address is answering nmap here!

nmap sees an ip address here not found by journalctl, nmcli, nor ip, and i want to know what’s up:

  #e#  nmap -sn 10.4.8.0/21
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-01 23:52 CST
Nmap scan report for 10.4.8.5
Host is up (0.0013s latency).
MAC Address: EC:B2:D7:60:62:80 (Hewlett Packard)
Nmap scan report for 10.4.8.9
Host is up (0.00085s latency).
MAC Address: 4A:DB:93:8F:8C:3A (Unknown)
...
Nmap done: 2048 IP addresses (8 hosts up) scanned in 7.32 seconds
  0#e#

Below you can see that ip a sees the .9 address but not .5:

  #c#  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br128 state UP group default qlen 1000
    link/ether ec:b2:d7:60:62:80 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
1084: br128: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4a:db:93:8f:8c:3a brd ff:ff:ff:ff:ff:ff
    inet 10.4.8.9/24 brd 10.4.8.255 scope global dynamic noprefixroute br128
       valid_lft 4629sec preferred_lft 4629sec
    inet6 fe80::f5df:cc90:3dfb:d9ce/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
  0#c#  virsh list
bash: virsh: command not found
  127#c#

What else might i probe or look at to find what answers nmap at the .5 address?

Namespaces?

ip netns list

Maybe your Printer?

Dump the packets from that MAC. Best is if you have a router that can do tcpdump (openwrt or similar). Otherwise, run it from your computer.

tcpdump -s 0 -i eno1 -c 1000 'ether host ec:b2:d7:60:62:80' -w /tmp/tcpdump_`date +'%Y%m%d_%H%M'`

Wait until it reaches 1000 packets or just hit ctrl-c after a while and analyze the file.

wireshark  /tmp/tcpdump_2024*

Just use Wireshark if you’re wanting to do network sniffing - has a lot of useful features.

I can’t see a single sniffing feature I needed that isn’t in tcpdump/tshark. The analysis is done most easily in Wireshark, yes. Should you e.g. do packetdump on a router it is most certainly cli. It’s also probably personal taste and preference, but if you’re jumping around on platforms and in a cli environment, it might be better to do it via cli to begin with. Also good if you need to make it a cron/timer job. Anyway, you now have the cli command as a tool in the box.

Are you using randomized MAC addresses?

Do an OUI lookup to see what the device might be.

@gregrwm So that is the MAC address of eno1 which is also br128. A bridge should have no ip address, go into NetworkManager or nmcli and disable ipv4 and ipv6…

For example (enp7s0 is linked to br0);

 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 18:60:24:94:ed:f2 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet xxx.xxx.xxx.xxx/24 brd xxx.xxx.xxx.xxx scope global noprefixroute eno1
       valid_lft forever preferred_lft forever
3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 88:c9:b3:bf:07:b4 brd ff:ff:ff:ff:ff:ff
4: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 88:c9:b3:bf:07:b5 brd ff:ff:ff:ff:ff:ff
5: enp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br1 state UP group default qlen 1000
    link/ether 88:c9:b3:bf:07:b6 brd ff:ff:ff:ff:ff:ff
6: enp10s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 88:c9:b3:bf:07:b7 brd ff:ff:ff:ff:ff:ff
7: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ae:94:c8:51:ca:7b brd ff:ff:ff:ff:ff:ff
8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

Thank you all for your ideas…

No internal DNS here other than the usual ability to query external DNS:

  #c#  ip netns list
  0#c#

No printer here. The Hewlett Packard mac address is host “c” eno1. The other mac address is host “c” br128. (But the .5 ip address is unknown to me, and not found in journalctl, nmcli, nor ip!)

Android and ios here use randomized mac addresses but neither box “c” nor “e” do.

is there any point to an oui lookup when we already know the HP mac address is host “c”?

Yeah that’s what i’ve always thought too, but most docs i’d seen b4now seem to say it’s the other way around. But now i find this redhat doc says take your pick and do it either way.

ok i disabled ipv4 and ipv6 in
/etc/NetworkManager/system-connections/eno1.nmconnection
and rebooted.

But nmap still gets an answer from the suspicious .5 address.

i’ve never used wireshark, guess it’s time to learn. First thing i notice is the tumbleweed wireshark package has the wireshark manual page describing the wireshark command but tumbleweed doesn’t have a wireshark command. Hmm.

rawshark is there. Reading the manpage. Falling asleep…

Meanwhile i’m open to suggestions of a good command to get me started…

Run ping 10.4.8.5, provide packet capture on both source system (where you run ping) and target system (with MAC EC:B2:D7:60:62:80). It does not matter whether you will use tcpdump, tshark, wireshark or dumpcap, but it should be full binary capture, not decoded text.

ok, start tshark on both “c” and “e”, then run ping on “e”. We do thus capture an answer where the HP mac claims the .5 address, at the bottom of the “e” tshark capture:

  $e$  ping -nc5 10.3.8.6
PING 10.3.8.6 (10.3.8.6) 56(84) bytes of data.
64 bytes from 10.3.8.6: icmp_seq=1 ttl=64 time=0.412 ms
64 bytes from 10.3.8.6: icmp_seq=2 ttl=64 time=0.311 ms
64 bytes from 10.3.8.6: icmp_seq=3 ttl=64 time=0.460 ms
64 bytes from 10.3.8.6: icmp_seq=4 ttl=64 time=0.378 ms
64 bytes from 10.3.8.6: icmp_seq=5 ttl=64 time=0.439 ms
--- 10.3.8.6 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4060ms
rtt min/avg/max/mdev = 0.311/0.400/0.460/0.052 ms
  0$e$  ping -nc5 10.3.8.5
PING 10.3.8.5 (10.3.8.5) 56(84) bytes of data.
From 10.3.8.9 icmp_seq=1 Destination Host Unreachable
From 10.3.8.9 icmp_seq=2 Destination Host Unreachable
From 10.3.8.9 icmp_seq=3 Destination Host Unreachable
From 10.3.8.9 icmp_seq=4 Destination Host Unreachable
From 10.3.8.9 icmp_seq=5 Destination Host Unreachable
--- 10.3.8.5 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4066ms
pipe 3
  1$e$
  #c#  tshark -lf 'host 10.3.8.5 or 10.3.8.6 or 10.3.8.9 or 10.3.8.87'
Capturing on 'eno1'
    1 0.000000000 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
    2 0.000083678 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
    3 0.000211503 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
    4 0.000220030 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
    5 0.000897113 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
    6 0.161297415     10.3.8.9 ? 10.3.8.7     SSL 230 Continuation Data
    7 0.161737458     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=1 Ack=165 Win=530 Len=0 TSval=2439819072 TSecr=3629094591
    8 0.411604106     10.3.8.9 ? 10.3.8.7     SSL 598 Continuation Data
    9 0.412009161     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=1 Ack=697 Win=528 Len=0 TSval=2439819322 TSecr=3629094841
   10 0.619812114     10.3.8.3 ? 10.3.8.9     NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
   11 0.619900841     10.3.8.9 ? 10.3.8.3     ICMP 120 Destination unreachable (Communication administratively filtered)
   12 0.679314248     10.3.8.9 ? 10.3.8.7     SSL 534 Continuation Data
   13 0.679638926     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=1 Ack=1165 Win=528 Len=0 TSval=2439819590 TSecr=3629095109
   14 0.930166107     10.3.8.3 ? 10.3.8.5     NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
   15 0.930296402 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   16 0.945368987     10.3.8.9 ? 10.3.8.7     SSL 358 Continuation Data
   17 0.945781002     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=1 Ack=1457 Win=528 Len=0 TSval=2439819856 TSecr=3629095375
   18 1.249984046     10.3.8.3 ? 10.3.8.9     MDNS 81 Standard query 0x0000 PTR 9.8.3.10.in-addr.arpa, "QM" question
   19 1.250097989     10.3.8.9 ? 10.3.8.3     ICMP 109 Destination unreachable (Communication administratively filtered)
   20 1.890089086     10.3.8.3 ? 10.3.8.5     MDNS 81 Standard query 0x0000 PTR 5.8.3.10.in-addr.arpa, "QM" question
   21 1.947009479 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   22 2.960341340 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   23 3.973720353     10.3.8.9 ? 10.3.8.3     ICMP 120 Destination unreachable (Host unreachable)
   24 3.973749405     10.3.8.9 ? 10.3.8.3     ICMP 109 Destination unreachable (Host unreachable)
   25 5.813671114 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 Who has 10.3.8.3? Tell 10.3.8.9
   26 5.814233229 AlphaNetwork_b6:4c:0d ? 4a:da:93:8f:8c:3a ARP 60 10.3.8.3 is at 0c:83:cc:b6:4c:0d
   27 12.311182189     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=1/256, ttl=64
   28 12.311309458 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   29 13.311756429     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=2/512, ttl=64
   30 13.333674775 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   31 14.325178314     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=3/768, ttl=64
   32 14.347006246 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   33 15.338530630     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=4/1024, ttl=64
   34 15.360389289     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   35 15.360418531     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   36 15.360433756     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   37 15.360448024     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   38 16.340138191     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=5/1280, ttl=64
   39 16.340244035 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   40 17.360343905 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   41 17.471656783 LCFCElectron_40:f3:46 ? HewlettPacka_60:62:80 ARP 60 Who has 10.3.8.5? Tell 10.3.8.7
   42 18.061912336 LCFCElectron_40:f3:46 ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.7
   43 18.070823562 LCFCElectron_40:f3:46 ? Broadcast    ARP 60 Who has 10.3.8.9? Tell 10.3.8.7
   44 18.070849942 4a:da:93:8f:8c:3a ? LCFCElectron_40:f3:46 ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
   45 18.365646479 LCFCElectron_40:f3:46 ? Broadcast    ARP 60 Who has 10.3.8.9? Tell 10.3.8.7
   46 18.365683079 4a:da:93:8f:8c:3a ? LCFCElectron_40:f3:46 ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
   47 18.373625310 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   48 18.669491948 LCFCElectron_40:f3:46 ? Broadcast    ARP 60 Who has 10.3.8.9? Tell 10.3.8.7
   49 18.669528387 4a:da:93:8f:8c:3a ? LCFCElectron_40:f3:46 ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
   50 18.887446474 LCFCElectron_40:f3:46 ? Broadcast    ARP 60 Who has 10.3.8.87? Tell 10.3.8.7
   51 19.387053384     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   52 60.004904612 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
   53 60.004981284 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
   54 60.005117488 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
   55 60.005136562 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
   56 60.006240896 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
   57 69.082716001 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
   58 69.082817199 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
   59 69.083654819 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
   60 69.083672710 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
   61 69.094137045 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
   62 69.510027985     10.3.8.3 ? 10.3.8.5     NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
   63 69.510160991 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   64 69.830586205     10.3.8.3 ? 10.3.8.5     MDNS 81 Standard query 0x0000 PTR 5.8.3.10.in-addr.arpa, "QM" question
   65 70.149989668     10.3.8.3 ? 10.3.8.9     NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
   66 70.533667073 4a:da:93:8f:8c:3a ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
   67 71.080108213     10.3.8.3 ? 10.3.8.9     MDNS 81 Standard query 0x0000 PTR 9.8.3.10.in-addr.arpa, "QM" question
   68 71.080224816     10.3.8.9 ? 10.3.8.3     ICMP 109 Destination unreachable (Communication administratively filtered)
  #e#  tshark -lf 'host 10.3.8.5 or 10.3.8.6 or 10.3.8.9 or 10.3.8.87'
Capturing on 'enp3s0'
   38 9.162110300 66.244.202.114 ? 10.3.8.87    ICMP 70 Destination unreachable (Communication administratively filtered)
   39 9.173201356     10.3.8.9 ? 10.3.8.7     TCP 174 [TCP segment of a reassembled PDU]
   40 9.173295219     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=117 Ack=1917 Win=531 Len=0 TSval=2439818601 TSecr=3629094120
   41 9.368239729     10.3.8.9 ? 10.3.8.7     TCP 134 995 ? 58332 [PSH, ACK] Seq=1917 Ack=117 Win=249 Len=68 TSval=3629094315 TSecr=2439818601 [TCP segment of a reassembled PDU]
   42 9.368331251     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=117 Ack=1985 Win=531 Len=0 TSval=2439818796 TSecr=3629094315
   43 9.482601160 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
   44 9.482682504 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
   45 9.482797911 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
   46 9.483550521 AlphaNetwork_b6:4c:0d ? Broadcast    ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
   47 9.644184259     10.3.8.9 ? 10.3.8.7     TCP 230 995 ? 58332 [PSH, ACK] Seq=1985 Ack=117 Win=249 Len=164 TSval=3629094591 TSecr=2439818796 [TCP segment of a reassembled PDU]
   48 9.644278458     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=117 Ack=2149 Win=530 Len=0 TSval=2439819072 TSecr=3629094591
   49 9.894497220     10.3.8.9 ? 10.3.8.7     TCP 598 995 ? 58332 [PSH, ACK] Seq=2149 Ack=117 Win=249 Len=532 TSval=3629094841 TSecr=2439819072 [TCP segment of a reassembled PDU]
   50 9.894587524     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=117 Ack=2681 Win=528 Len=0 TSval=2439819322 TSecr=3629094841
   51 10.162161854     10.3.8.9 ? 10.3.8.7     TCP 534 995 ? 58332 [PSH, ACK] Seq=2681 Ack=117 Win=249 Len=468 TSval=3629095109 TSecr=2439819322 [TCP segment of a reassembled PDU]
   52 10.162240246     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=117 Ack=3149 Win=528 Len=0 TSval=2439819590 TSecr=3629095109
   53 10.413485483 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   54 10.428260938     10.3.8.9 ? 10.3.8.7     TCP 358 995 ? 58332 [PSH, ACK] Seq=3149 Ack=117 Win=249 Len=292 TSval=3629095375 TSecr=2439819590 [TCP segment of a reassembled PDU]
   55 10.428351578     10.3.8.7 ? 10.3.8.9     TCP 66 58332 ? 995 [ACK] Seq=117 Ack=3441 Win=528 Len=0 TSval=2439819856 TSecr=3629095375
   56 11.430187867 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   57 12.443612201 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   58 16.715091847    10.3.8.87 ? 216.52.29.11 NTP 90 NTP Version 4, client
   59 16.763864246 216.52.29.11 ? 10.3.8.87    ICMP 70 Destination unreachable (Port unreachable)
   60 21.793713739     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=1/256, ttl=64
   61 21.794528085 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   62 21.834246529 LCFCElectron_40:f3:46 ? 52:54:00:0f:4f:0d ARP 42 Who has 10.3.8.87? Tell 10.3.8.7
   63 21.834900884 52:54:00:0f:4f:0d ? LCFCElectron_40:f3:46 ARP 60 10.3.8.87 is at 52:54:00:0f:4f:0d
   64 22.794297110     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=2/512, ttl=64
   65 22.816760051 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   66 23.807705821     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=3/768, ttl=64
   67 23.830272284 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   68 24.821057558     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=4/1024, ttl=64
   69 24.843240192     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   70 24.843240348     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   71 24.843240458     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   72 24.843240569     10.3.8.9 ? 10.3.8.7     ICMP 126 Destination unreachable (Host unreachable)
   73 25.822670861     10.3.8.7 ? 10.3.8.5     ICMP 98 Echo (ping) request  id=0x0005, seq=5/1280, ttl=64
   74 25.823424772 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   75 26.262042270     10.3.8.6 ? 96.245.170.99 NTP 90 NTP Version 4, client
   76 26.843615107 4a:da:93:8f:8c:3a ? Broadcast    ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
   77 26.954196136 LCFCElectron_40:f3:46 ? HewlettPacka_60:62:80 ARP 42 Who has 10.3.8.5? Tell 10.3.8.7
   78 26.954666798 HewlettPacka_60:62:80 ? LCFCElectron_40:f3:46 ARP 60 10.3.8.5 is at ec:b1:d7:60:62:80
   79 27.543878523 LCFCElectron_40:f3:46 ? Broadcast    ARP 42 Who has 10.3.8.5? Tell 10.3.8.7
   80 27.544996185 HewlettPacka_60:62:80 ? LCFCElectron_40:f3:46 ARP 60 10.3.8.5 is at ec:b1:d7:60:62:80

Fascinating, all ARP 42 Who has 10.3.8.5? Tell queries go unanswered until after the 5th ping, 2 more asked by 10.3.8.9 still go unanswered, but when 10.3.8.7 asks this time the HP mac answers ARP 60 10.3.8.5 is at ec:b1:d7:60:62:80!

But so what could be doing this?

That is not supposed to happen. Show netfilter configuration on the destination host (I assume, c):

iptables -L -n -v
iptables -L -n -v -t nat
nft list ruleset

Note that nftables can be used without nft tool itself, so you may need to install it.

  #c#  iptables -L -n -v|egrep -v '^$'
Chain INPUT (policy ACCEPT 28752 packets, 65M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 3449 packets, 250K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 27618 packets, 3509K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  0#c#  iptables -L -n -v -t nat|egrep -v '^$'
Chain PREROUTING (policy ACCEPT 8446 packets, 593K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain INPUT (policy ACCEPT 25 packets, 7963 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 8856 packets, 642K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 12301 packets, 892K bytes)
 pkts bytes target     prot opt in     out     source               destination
  0#c#  nft list ruleset|egrep -v '^$'
table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_POLICIES
        }
        chain mangle_PREROUTING_POLICIES {
                iifname "docker0" jump mangle_PRE_policy_allow-host-ipv6
                iifname "docker0" jump mangle_PRE_docker
                iifname "docker0" return
                iifname "br128" jump mangle_PRE_policy_allow-host-ipv6
                iifname "br128" jump mangle_PRE_public
                iifname "br128" return
                iifname "eno1" jump mangle_PRE_policy_allow-host-ipv6
                iifname "eno1" jump mangle_PRE_public
                iifname "eno1" return
                jump mangle_PRE_policy_allow-host-ipv6
                jump mangle_PRE_public
                return
        }
        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_POLICIES
        }
        chain nat_PREROUTING_POLICIES {
                iifname "docker0" jump nat_PRE_policy_allow-host-ipv6
                iifname "docker0" jump nat_PRE_docker
                iifname "docker0" return
                iifname "br128" jump nat_PRE_policy_allow-host-ipv6
                iifname "br128" jump nat_PRE_public
                iifname "br128" return
                iifname "eno1" jump nat_PRE_policy_allow-host-ipv6
                iifname "eno1" jump nat_PRE_public
                iifname "eno1" return
                jump nat_PRE_policy_allow-host-ipv6
                jump nat_PRE_public
                return
        }
        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_POLICIES
        }
        chain nat_POSTROUTING_POLICIES {
                iifname "docker0" oifname "docker0" jump nat_POST_docker
                iifname "docker0" oifname "docker0" return
                iifname "br128" oifname "docker0" jump nat_POST_docker
                iifname "br128" oifname "docker0" return
                iifname "eno1" oifname "docker0" jump nat_POST_docker
                iifname "eno1" oifname "docker0" return
                oifname "docker0" jump nat_POST_docker
                oifname "docker0" return
                iifname "docker0" oifname "br128" jump nat_POST_public
                iifname "docker0" oifname "br128" return
                iifname "br128" oifname "br128" jump nat_POST_public
                iifname "br128" oifname "br128" return
                iifname "eno1" oifname "br128" jump nat_POST_public
                iifname "eno1" oifname "br128" return
                oifname "br128" jump nat_POST_public
                oifname "br128" return
                iifname "docker0" oifname "eno1" jump nat_POST_public
                iifname "docker0" oifname "eno1" return
                iifname "br128" oifname "eno1" jump nat_POST_public
                iifname "br128" oifname "eno1" return
                iifname "eno1" oifname "eno1" jump nat_POST_public
                iifname "eno1" oifname "eno1" return
                oifname "eno1" jump nat_POST_public
                oifname "eno1" return
                iifname "docker0" jump nat_POST_public
                iifname "docker0" return
                iifname "br128" jump nat_POST_public
                iifname "br128" return
                iifname "eno1" jump nat_POST_public
                iifname "eno1" return
                jump nat_POST_public
                return
        }
        chain nat_OUTPUT {
                type nat hook output priority dstnat + 10; policy accept;
                jump nat_OUTPUT_POLICIES
        }
        chain nat_OUTPUT_POLICIES {
                oifname "docker0" jump nat_OUT_docker
                oifname "docker0" return
                oifname "br128" jump nat_OUT_public
                oifname "br128" return
                oifname "eno1" jump nat_OUT_public
                oifname "eno1" return
                jump nat_OUT_public
                return
        }
        chain filter_PREROUTING {
                type filter hook prerouting priority filter + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
        }
        chain filter_INPUT {
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ct state invalid drop
                jump filter_INPUT_POLICIES
                reject with icmpx admin-prohibited
        }
        chain filter_FORWARD {
                type filter hook forward priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ct state invalid drop
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_FORWARD_POLICIES
                reject with icmpx admin-prohibited
        }
        chain filter_OUTPUT {
                type filter hook output priority filter + 10; policy accept;
                ct state { established, related } accept
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
                jump filter_OUTPUT_POLICIES
        }
        chain filter_INPUT_POLICIES {
                iifname "docker0" jump filter_IN_policy_allow-host-ipv6
                iifname "docker0" jump filter_IN_docker
                iifname "docker0" accept
                iifname "br128" jump filter_IN_policy_allow-host-ipv6
                iifname "br128" jump filter_IN_public
                iifname "br128" reject with icmpx admin-prohibited
                iifname "eno1" jump filter_IN_policy_allow-host-ipv6
                iifname "eno1" jump filter_IN_public
                iifname "eno1" reject with icmpx admin-prohibited
                jump filter_IN_policy_allow-host-ipv6
                jump filter_IN_public
                reject with icmpx admin-prohibited
        }
        chain filter_FORWARD_POLICIES {
                iifname "docker0" oifname "docker0" jump filter_FWD_docker
                iifname "docker0" oifname "docker0" accept
                iifname "docker0" oifname "br128" jump filter_FWD_docker
                iifname "docker0" oifname "br128" accept
                iifname "docker0" oifname "eno1" jump filter_FWD_docker
                iifname "docker0" oifname "eno1" accept
                iifname "docker0" jump filter_FWD_docker
                iifname "docker0" accept
                iifname "br128" oifname "docker0" jump filter_FWD_public
                iifname "br128" oifname "docker0" reject with icmpx admin-prohibited
                iifname "br128" oifname "br128" jump filter_FWD_public
                iifname "br128" oifname "br128" reject with icmpx admin-prohibited
                iifname "br128" oifname "eno1" jump filter_FWD_public
                iifname "br128" oifname "eno1" reject with icmpx admin-prohibited
                iifname "br128" jump filter_FWD_public
                iifname "br128" reject with icmpx admin-prohibited
                iifname "eno1" oifname "docker0" jump filter_FWD_public
                iifname "eno1" oifname "docker0" reject with icmpx admin-prohibited
                iifname "eno1" oifname "br128" jump filter_FWD_public
                iifname "eno1" oifname "br128" reject with icmpx admin-prohibited
                iifname "eno1" oifname "eno1" jump filter_FWD_public
                iifname "eno1" oifname "eno1" reject with icmpx admin-prohibited
                iifname "eno1" jump filter_FWD_public
                iifname "eno1" reject with icmpx admin-prohibited
                oifname "docker0" jump filter_FWD_public
                oifname "docker0" reject with icmpx admin-prohibited
                oifname "br128" jump filter_FWD_public
                oifname "br128" reject with icmpx admin-prohibited
                oifname "eno1" jump filter_FWD_public
                oifname "eno1" reject with icmpx admin-prohibited
                jump filter_FWD_public
                reject with icmpx admin-prohibited
        }
        chain filter_OUTPUT_POLICIES {
                oifname "docker0" jump filter_OUT_docker
                oifname "docker0" return
                oifname "br128" jump filter_OUT_public
                oifname "br128" return
                oifname "eno1" jump filter_OUT_public
                oifname "eno1" return
                jump filter_OUT_public
                return
        }
        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }
        chain filter_IN_public_pre {
        }
        chain filter_IN_public_log {
        }
        chain filter_IN_public_deny {
        }
        chain filter_IN_public_allow {
                tcp dport 22 accept
                ip6 daddr fe80::/64 udp dport 546 accept
                udp dport 67 accept
                tcp dport 995 accept
        }
        chain filter_IN_public_post {
        }
        chain filter_OUT_public {
                jump filter_OUT_public_pre
                jump filter_OUT_public_log
                jump filter_OUT_public_deny
                jump filter_OUT_public_allow
                jump filter_OUT_public_post
        }
        chain filter_OUT_public_pre {
        }
        chain filter_OUT_public_log {
        }
        chain filter_OUT_public_deny {
        }
        chain filter_OUT_public_allow {
        }
        chain filter_OUT_public_post {
        }
        chain nat_OUT_public {
                jump nat_OUT_public_pre
                jump nat_OUT_public_log
                jump nat_OUT_public_deny
                jump nat_OUT_public_allow
                jump nat_OUT_public_post
        }
        chain nat_OUT_public_pre {
        }
        chain nat_OUT_public_log {
        }
        chain nat_OUT_public_deny {
        }
        chain nat_OUT_public_allow {
        }
        chain nat_OUT_public_post {
        }
        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }
        chain nat_POST_public_pre {
        }
        chain nat_POST_public_log {
        }
        chain nat_POST_public_deny {
        }
        chain nat_POST_public_allow {
                meta nfproto ipv4 oifname != "lo" masquerade
        }
        chain nat_POST_public_post {
        }
        chain filter_FWD_public {
                jump filter_FWD_public_pre
                jump filter_FWD_public_log
                jump filter_FWD_public_deny
                jump filter_FWD_public_allow
                jump filter_FWD_public_post
        }
        chain filter_FWD_public_pre {
        }
        chain filter_FWD_public_log {
        }
        chain filter_FWD_public_deny {
        }
        chain filter_FWD_public_allow {
                oifname "br128" accept
                oifname "eno1" accept
        }
        chain filter_FWD_public_post {
        }
        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }
        chain nat_PRE_public_pre {
        }
        chain nat_PRE_public_log {
        }
        chain nat_PRE_public_deny {
        }
        chain nat_PRE_public_allow {
        }
        chain nat_PRE_public_post {
        }
        chain mangle_PRE_public {
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
        }
        chain mangle_PRE_public_pre {
        }
        chain mangle_PRE_public_log {
        }
        chain mangle_PRE_public_deny {
        }
        chain mangle_PRE_public_allow {
        }
        chain mangle_PRE_public_post {
        }
        chain filter_IN_docker {
                jump filter_IN_docker_pre
                jump filter_IN_docker_log
                jump filter_IN_docker_deny
                jump filter_IN_docker_allow
                jump filter_IN_docker_post
        }
        chain filter_IN_docker_pre {
        }
        chain filter_IN_docker_log {
        }
        chain filter_IN_docker_deny {
        }
        chain filter_IN_docker_allow {
        }
        chain filter_IN_docker_post {
        }
        chain filter_OUT_docker {
                jump filter_OUT_docker_pre
                jump filter_OUT_docker_log
                jump filter_OUT_docker_deny
                jump filter_OUT_docker_allow
                jump filter_OUT_docker_post
        }
        chain filter_OUT_docker_pre {
        }
        chain filter_OUT_docker_log {
        }
        chain filter_OUT_docker_deny {
        }
        chain filter_OUT_docker_allow {
        }
        chain filter_OUT_docker_post {
        }
        chain nat_OUT_docker {
                jump nat_OUT_docker_pre
                jump nat_OUT_docker_log
                jump nat_OUT_docker_deny
                jump nat_OUT_docker_allow
                jump nat_OUT_docker_post
        }
        chain nat_OUT_docker_pre {
        }
        chain nat_OUT_docker_log {
        }
        chain nat_OUT_docker_deny {
        }
        chain nat_OUT_docker_allow {
        }
        chain nat_OUT_docker_post {
        }
        chain nat_POST_docker {
                jump nat_POST_docker_pre
                jump nat_POST_docker_log
                jump nat_POST_docker_deny
                jump nat_POST_docker_allow
                jump nat_POST_docker_post
        }
        chain nat_POST_docker_pre {
        }
        chain nat_POST_docker_log {
        }
        chain nat_POST_docker_deny {
        }
        chain nat_POST_docker_allow {
        }
        chain nat_POST_docker_post {
        }
        chain filter_FWD_docker {
                jump filter_FWD_docker_pre
                jump filter_FWD_docker_log
                jump filter_FWD_docker_deny
                jump filter_FWD_docker_allow
                jump filter_FWD_docker_post
        }
        chain filter_FWD_docker_pre {
        }
        chain filter_FWD_docker_log {
        }
        chain filter_FWD_docker_deny {
        }
        chain filter_FWD_docker_allow {
        }
        chain filter_FWD_docker_post {
        }
        chain nat_PRE_docker {
                jump nat_PRE_docker_pre
                jump nat_PRE_docker_log
                jump nat_PRE_docker_deny
                jump nat_PRE_docker_allow
                jump nat_PRE_docker_post
        }
        chain nat_PRE_docker_pre {
        }
        chain nat_PRE_docker_log {
        }
        chain nat_PRE_docker_deny {
        }
        chain nat_PRE_docker_allow {
        }
        chain nat_PRE_docker_post {
        }
        chain mangle_PRE_docker {
                jump mangle_PRE_docker_pre
                jump mangle_PRE_docker_log
                jump mangle_PRE_docker_deny
                jump mangle_PRE_docker_allow
                jump mangle_PRE_docker_post
        }
        chain mangle_PRE_docker_pre {
        }
        chain mangle_PRE_docker_log {
        }
        chain mangle_PRE_docker_deny {
        }
        chain mangle_PRE_docker_allow {
        }
        chain mangle_PRE_docker_post {
        }
        chain filter_IN_policy_allow-host-ipv6 {
                jump filter_IN_policy_allow-host-ipv6_pre
                jump filter_IN_policy_allow-host-ipv6_log
                jump filter_IN_policy_allow-host-ipv6_deny
                jump filter_IN_policy_allow-host-ipv6_allow
                jump filter_IN_policy_allow-host-ipv6_post
        }
        chain filter_IN_policy_allow-host-ipv6_pre {
        }
        chain filter_IN_policy_allow-host-ipv6_log {
        }
        chain filter_IN_policy_allow-host-ipv6_deny {
        }
        chain filter_IN_policy_allow-host-ipv6_allow {
                icmpv6 type nd-neighbor-advert accept
                icmpv6 type nd-neighbor-solicit accept
                icmpv6 type nd-router-advert accept
                icmpv6 type nd-redirect accept
        }
        chain filter_IN_policy_allow-host-ipv6_post {
        }
        chain nat_PRE_policy_allow-host-ipv6 {
                jump nat_PRE_policy_allow-host-ipv6_pre
                jump nat_PRE_policy_allow-host-ipv6_log
                jump nat_PRE_policy_allow-host-ipv6_deny
                jump nat_PRE_policy_allow-host-ipv6_allow
                jump nat_PRE_policy_allow-host-ipv6_post
        }
        chain nat_PRE_policy_allow-host-ipv6_pre {
        }
        chain nat_PRE_policy_allow-host-ipv6_log {
        }
        chain nat_PRE_policy_allow-host-ipv6_deny {
        }
        chain nat_PRE_policy_allow-host-ipv6_allow {
        }
        chain nat_PRE_policy_allow-host-ipv6_post {
        }
        chain mangle_PRE_policy_allow-host-ipv6 {
                jump mangle_PRE_policy_allow-host-ipv6_pre
                jump mangle_PRE_policy_allow-host-ipv6_log
                jump mangle_PRE_policy_allow-host-ipv6_deny
                jump mangle_PRE_policy_allow-host-ipv6_allow
                jump mangle_PRE_policy_allow-host-ipv6_post
        }
        chain mangle_PRE_policy_allow-host-ipv6_pre {
        }
        chain mangle_PRE_policy_allow-host-ipv6_log {
        }
        chain mangle_PRE_policy_allow-host-ipv6_deny {
        }
        chain mangle_PRE_policy_allow-host-ipv6_allow {
        }
        chain mangle_PRE_policy_allow-host-ipv6_post {
        }
}
  0#c#

Also nothing. Next try. Do ping from e to c and …

… on the c:

grep . /proc/sys/net/ipv4/conf/*/proxy_arp
ip neigh show
ip -4 rule list
ip -4 route list table all

… on the e:

ip neigh show

ok, show grep&ip before&during ping:

  #04:48:37#c#  grep . /proc/sys/net/ipv4/conf/*/proxy_arp
/proc/sys/net/ipv4/conf/all/proxy_arp:0                                     
/proc/sys/net/ipv4/conf/br128/proxy_arp:0                                   
/proc/sys/net/ipv4/conf/default/proxy_arp:0                                                                                                             
/proc/sys/net/ipv4/conf/eno1/proxy_arp:0                                    
/proc/sys/net/ipv4/conf/lo/proxy_arp:0
  0#04:50:13#c#  ip neigh show
10.3.8.3 dev br128 lladdr 0c:83:cc:b6:4c:0d STALE
10.3.8.5 dev br128 FAILED                                                   
10.3.8.7 dev br128 lladdr 68:f7:28:40:f3:46 REACHABLE
  0#04:51:52#c#  ip -4 rule list
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
  0#04:52:35#c#  ip -4 route list table all
default via 10.3.8.7 dev br128 proto dhcp src 10.3.8.9 metric 425 
10.3.8.0/24 dev br128 proto kernel scope link src 10.3.8.9 metric 425 
local 10.3.8.9 dev br128 table local proto kernel scope host src 10.3.8.9 
broadcast 10.3.8.255 dev br128 table local proto kernel scope link src 10.3.8.9 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  0#c#
  #05:00:48#e#  ip neigh show|sort -nt. -k4
10.3.8.2 dev enp3s0 lladdr 3c:2e:ff:03:af:38 STALE                                                                                                      
10.3.8.3 dev enp3s0 lladdr 0c:83:cc:b6:4c:0d REACHABLE                                                                                                  
10.3.8.4 dev enp3s0 lladdr 3c:28:6d:fb:be:8c REACHABLE                                                                                                  
10.3.8.5 dev enp3s0 lladdr ec:b1:d7:60:62:80 STALE                                                                                                      
10.3.8.6 dev enp3s0 lladdr 4e:14:ff:42:51:92 STALE                                                                                                      
10.3.8.8 dev enp3s0 lladdr 10:62:e5:54:52:01 REACHABLE                                                                                                  
10.3.8.9 dev enp3s0 lladdr 4a:da:93:8f:8c:3a REACHABLE                                                                                                  
10.3.8.12 dev enp3s0 FAILED                                                                                                                             
10.3.8.17 dev enp3s0 FAILED                                                                                                                             
10.3.8.20 dev enp3s0 lladdr 5e:aa:1f:92:69:34 STALE                                                                                                     
10.3.8.21 dev enp3s0 FAILED                                                                                                                             
10.3.8.35 dev enp3s0 lladdr ae:12:84:b6:ba:88 STALE                                                                                                     
10.3.8.36 dev enp3s0 lladdr 2e:e5:25:82:f4:40 STALE                                                                                                     
10.3.8.46 dev enp3s0 FAILED                                                                                                                             
10.3.8.51 dev enp3s0 lladdr 6a:8f:bb:be:79:cf STALE                                                                                                     
10.3.8.57 dev enp3s0 FAILED                                                 
10.3.8.65 dev enp3s0 FAILED                                                 
10.3.8.67 dev enp3s0 lladdr c2:33:0f:0f:6e:a9 STALE                                                                                                     
10.3.8.68 dev enp3s0 FAILED                                                 
10.3.8.73 dev enp3s0 FAILED                                                 
10.3.8.76 dev enp3s0 lladdr 86:81:f6:3e:d3:53 STALE                                                                                                     
10.3.8.79 dev enp3s0 FAILED                                                 
10.3.8.87 dev enp3s0 lladdr 52:54:00:0f:4f:0d STALE
  $e$05:14:05$  ping -nc3 10.3.8.6
PING 10.3.8.6 (10.3.8.6) 56(84) bytes of data.
64 bytes from 10.3.8.6: icmp_seq=1 ttl=64 time=0.366 ms
64 bytes from 10.3.8.6: icmp_seq=2 ttl=64 time=0.380 ms
64 bytes from 10.3.8.6: icmp_seq=3 ttl=64 time=0.368 ms                                     
--- 10.3.8.6 ping statistics ---                                                            3 packets transmitted, 3 received, 0% packet loss, time 2014ms
rtt min/avg/max/mdev = 0.366/0.371/0.380/0.006 ms
  0$e$05:14:34$  ping -nc25 10.3.8.5
PING 10.3.8.5 (10.3.8.5) 56(84) bytes of data.
From 10.3.8.9 icmp_seq=1 Destination Host Unreachable
From 10.3.8.9 icmp_seq=2 Destination Host Unreachable
From 10.3.8.9 icmp_seq=3 Destination Host Unreachable
From 10.3.8.9 icmp_seq=4 Destination Host Unreachable
From 10.3.8.9 icmp_seq=5 Destination Host Unreachable
From 10.3.8.9 icmp_seq=6 Destination Host Unreachable
From 10.3.8.9 icmp_seq=7 Destination Host Unreachable
From 10.3.8.9 icmp_seq=8 Destination Host Unreachable
From 10.3.8.9 icmp_seq=9 Destination Host Unreachable
From 10.3.8.9 icmp_seq=10 Destination Host Unreachable
From 10.3.8.9 icmp_seq=11 Destination Host Unreachable
From 10.3.8.9 icmp_seq=12 Destination Host Unreachable
From 10.3.8.9 icmp_seq=13 Destination Host Unreachable
From 10.3.8.9 icmp_seq=14 Destination Host Unreachable
From 10.3.8.9 icmp_seq=15 Destination Host Unreachable
From 10.3.8.9 icmp_seq=16 Destination Host Unreachable
From 10.3.8.9 icmp_seq=17 Destination Host Unreachable
From 10.3.8.9 icmp_seq=18 Destination Host Unreachable
From 10.3.8.9 icmp_seq=19 Destination Host Unreachable
From 10.3.8.9 icmp_seq=20 Destination Host Unreachable
From 10.3.8.9 icmp_seq=21 Destination Host Unreachable
From 10.3.8.9 icmp_seq=22 Destination Host Unreachable
From 10.3.8.9 icmp_seq=23 Destination Host Unreachable
From 10.3.8.9 icmp_seq=24 Destination Host Unreachable
From 10.3.8.9 icmp_seq=25 Destination Host Unreachable
--- 10.3.8.5 ping statistics ---
25 packets transmitted, 0 received, +25 errors, 100% packet loss, time 24309ms
pipe 4
  1$e$
  #05:14:45#c#  grep . /proc/sys/net/ipv4/conf/*/proxy_arp
/proc/sys/net/ipv4/conf/all/proxy_arp:0
/proc/sys/net/ipv4/conf/br128/proxy_arp:0
/proc/sys/net/ipv4/conf/default/proxy_arp:0
/proc/sys/net/ipv4/conf/eno1/proxy_arp:0
/proc/sys/net/ipv4/conf/lo/proxy_arp:0
  0#05:14:46#c#  ip neigh show
10.3.8.3 dev br128 lladdr 0c:83:cc:b6:4c:0d REACHABLE 
10.3.8.5 dev br128 INCOMPLETE 
10.3.8.7 dev br128 lladdr 68:f7:28:40:f3:46 REACHABLE
  0#05:14:48#c#  ip -4 rule list
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
  0#05:14:50#c#  ip -4 route list table all
default via 10.3.8.7 dev br128 proto dhcp src 10.3.8.9 metric 425 
10.3.8.0/24 dev br128 proto kernel scope link src 10.3.8.9 metric 425 
local 10.3.8.9 dev br128 table local proto kernel scope host src 10.3.8.9 
broadcast 10.3.8.255 dev br128 table local proto kernel scope link src 10.3.8.9 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  0#c#
  #05:14#e#  ip neigh show|sort -nt. -k4
10.3.8.2 dev enp3s0 lladdr 3c:2e:ff:03:af:38 STALE                                                                                                      
10.3.8.3 dev enp3s0 lladdr 0c:83:cc:b6:4c:0d REACHABLE                                                                                                  
10.3.8.4 dev enp3s0 lladdr 3c:28:6d:fb:be:8c REACHABLE                                                                                                  
10.3.8.5 dev enp3s0 lladdr ec:b1:d7:60:62:80 REACHABLE                                                                                                  
10.3.8.6 dev enp3s0 lladdr 4e:14:ff:42:51:92 DELAY                                                                                                      
10.3.8.8 dev enp3s0 lladdr 10:62:e5:54:52:01 REACHABLE                                                                                                  
10.3.8.9 dev enp3s0 lladdr 4a:da:93:8f:8c:3a REACHABLE                                                                                                  
10.3.8.12 dev enp3s0 FAILED 
10.3.8.17 dev enp3s0 FAILED 
10.3.8.20 dev enp3s0 lladdr 5e:aa:1f:92:69:34 STALE                                                                                                     
10.3.8.21 dev enp3s0 FAILED 
10.3.8.35 dev enp3s0 lladdr ae:12:84:b6:ba:88 STALE                                                                                                     
10.3.8.36 dev enp3s0 lladdr 2e:e5:25:82:f4:40 STALE                                                                                                     
10.3.8.46 dev enp3s0 FAILED 
10.3.8.51 dev enp3s0 lladdr 6a:8f:bb:be:79:cf STALE                                                                                                     
10.3.8.57 dev enp3s0 FAILED 
10.3.8.65 dev enp3s0 FAILED 
10.3.8.67 dev enp3s0 lladdr c2:33:0f:0f:6e:a9 STALE                                                                                                     
10.3.8.68 dev enp3s0 FAILED 
10.3.8.73 dev enp3s0 FAILED 
10.3.8.76 dev enp3s0 lladdr 86:81:f6:3e:d3:53 STALE                                                                                                     
10.3.8.79 dev enp3s0 FAILED 
10.3.8.87 dev enp3s0 lladdr 52:54:00:0f:4f:0d REACHABLE                                                                                                 
169.254.168.164 dev enp3s0 lladdr 10:5b:ad:b4:78:c3 STALE
  0#e#

Something answers ARP request. Which is the exact reason I requested the full binary packet capture, not text representation of an artifically restricted query.

ARP is broacast and any system may respond. If you can, use separate hub/switch (or if you have managed switch split their ports in separate VLAN), plug only these two systems there so nothing else can interfere and try again. Do you still observe this ghost IP?

i’m still fledgling with tshark, perhaps you might suggest good tshark command, also example of what exactly to do with result data.

I would try

tshark -i enp3s0 -f arp

ok, break communication with other than “e” and “c”, run capture on both and ping on “e”.

But didn’t you want binary?

  #c#  tshark -f arp -w ts                                                                                                                                                                  
Capturing on 'eno1'                                                                                                                                     
tshark: The file to which the capture would be saved ("ts") could not be opened: Permission denied.
  1#c#  echo x>ts                                                                                     [1036/1758]
  0#c#

root can write, what’s up with tshark?

Root is not god almighty on Linux. tshark (strictly speaking, dumpcap) drops all capabilities except ability to perform network capture, so it cannot write if directory permissions do not allow it according to the standard rules - owner, group and others.

Show ls -ld . in the directory where you run tshark.