arp who has... tell...

asked 2021-02-28 00:51:45 +0000

YHC
1 ●2

updated 2021-02-28 04:08:58 +0000

In our LAN, I see two servers keeps doing ARP broadcast:

Server 1 (running kaspersky server, iis server, and SQL server) : Doing ARP 'who has ... tell...' 'broadcast to a range of around 120 IPs in the same subnet. Theses IPs are not used in our LAN.

Server 2 (running iis server, and SQL server): Doing ARP 'who has ... tell...' 'broadcast to two specific IPs in the same subnet. Theses IPs are also not used in our LAN.

These IPs are not in the ARP table and I don'ts know why the servers are looking for their mac addresses.

Can any one advise us if it is normal and how to solve the problem?
Thank you.

edit retag flag offensive close merge delete

add a comment

answered 2021-02-28 12:47:19 +0000

JasMan

81 ●1 ●21 ●11

This is normal and nothing to worry about.

The ARP requests from the first server sounds like a network discovery from Kaspersky to identify all clients in the network. If a client answers to the request, Kaspersky will do further tests like "Is my Kaspersky client software installed and if yes, is it up-to-date?" and so on. The client will then appear in the client overview list of Kaspersky. You could temporary shutdown the Kaspersky services to double-check, if the ARP requests would disappear then.

The ARP requests from the second server to two specific IP addresses are diffcult to guess what they could be. My first guess was an old network drive which was previously reachable over a share on that IP addresses, and which is still configured on server 2. Have you checked that? You could also configure a client with one of the requested IP addresses and capture the traffic on that client. As soon as server 2 gets his answer to the ARP request, he will propably try to open a connection to that client. Depending on which destination port is used, you may can enclose the responsible process.

edit flag offensive delete link

Comments

Also for the IIS server, see if the ARP requests are following DNS requests pointing to the requested IP addresses in the ARP requests.

You can select one of the arp packets and then use the filter dns.a == ${arp.dst.proto_ipv4} or arp.dst.proto_ipv4 == ${arp.dst.proto_ipv4}

(this will look for all of the DNS responses pointing to the target ip address in the ARP request as well as all the arp requests requesting the target ip address)

SYN-bit ( 2021-03-01 09:52:03 +0000 )edit

No, the ARP requests are not following any DNS requests. Does that mean anything?

YHC ( 2021-03-02 01:19:57 +0000 )edit

It could mean that the names were resolved earlier than the time the capture was started (DNS records often have a 1 day time to live). You could check the DNS cache on the SQL server to see if there are entries pointing to the two IP addresses (ipconfig /displaydns). Or it could be that these IP addresses were hard-coded and DNS was not involved.

I like the suggestion of @JasMan to configure a system with these two IP addresses and see what type of traffic is sent to it. That way you get a clue which process might be trying to reach these IP addresses.

SYN-bit ( 2021-03-03 23:50:48 +0000 )edit

add a comment

arp who has... tell...

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

arp who has... tell... edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

arp who has... tell...