Getting a lot of Who has Tell

asked 2020-02-17 16:59:48 +0000

samwifgac gravatar image

30.30 is the first IP in a DHCP scope but nothing has this address (at least, nothing has this address any longer). How can I get stuff to stop looking for it?

1 Answer

answered 2020-02-17 17:15:30 +0000

grahamb gravatar image

This is an ARP request. Some process on is looking for the MAC address of, likely because it wants to send some traffic on it. seems likely to be a gateway device (by the .1 IP) so does it have a static route or forwarding rule for the .30 IP?

30.1 is the gateway. static route for vlan 30. The arp table doesn't show a 30.30 ip, though.

samwifgac gravatar imagesamwifgac ( 2020-02-17 17:27:35 +0000 )edit

Can you capture traffic coming into on its other interfaces, either by running a sniffer on the gateway or by using a tap of some sort? Perhaps some host on a network other than the one on which you saw the ARP requests is sending a packet to the gateway to be forwarded to

Guy Harris gravatar imageGuy Harris ( 2020-02-17 17:46:16 +0000 )edit

new to wireshark so I'm not certain. If its possible from within Wireshark, I'd need a little push in the right direction.

samwifgac gravatar imagesamwifgac ( 2020-02-17 20:22:20 +0000 )edit

