Ask Your Question
0

No traffic seen in Wireshark when I run arp -a

asked 2021-06-07 15:05:51 +0000

updated 2021-06-07 22:51:19 +0000

Guy Harris gravatar image

OS: W10 64 bit Command prompt ran as admin Wireshark ran as admin Wireshark versions tested: local install of 3.4.6 and portable 3.4.5

I start the wireshark capture and then proceed to run a few arp -a requests in command prompt so I can analyze the traffic in wireshark. However, when I go to wireshark the ARP protocol traffic does not appear. Using display filter arp or using the sort function to hopefully see the arp traffic at the top with no luck.

At times some arp traffic appears but not consistently. If it does appear as Arp protocol traffic then I see the MAC ID as all 0's or the MAC ID of my router. I would think that I would see arp traffic from a broadcast MAC of all f's.

Question:

Why can't I see consistent arp traffic being captured in wireshark when I run the capture and run the command arp -a? Also, why isn't the broadcast mac ID of all f's present in the capture of the arp traffic when it does inconsistently appear?

Any help will be greatly appreciated - thanks!

edit retag flag offensive close merge delete

Comments

Do NOT run Wireshark with elevated privileges, it's not required and a potential security risk. See Wireshark Security for more info.

What interface are you capturing on?

grahamb gravatar imagegrahamb ( 2021-06-07 15:13:49 +0000 )edit

Thanks for the tip and reply.

I am capturing on the ethernet interface.

networkingisfun gravatar imagenetworkingisfun ( 2021-06-07 15:53:04 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-06-07 16:17:25 +0000

Chuckc gravatar image

updated 2021-06-07 16:38:16 +0000

grahamb gravatar image

arp -a is a passive action showing the contents of the local ARP cache.

You can use arp -d to remove individual entries or the whole cache with arp -d *
If there is no entry in the cache, then something needing to access a local (on same subnet) IP address (like ping) will force an ARP request.
In the example below there is only one interface. The subnet is determined from the Default Gateway and Subnet Mask.

arp -d will require Admin permissions.

https://docs.microsoft.com/en-us/wind...

https://docs.microsoft.com/en-us/wind...

C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig  | findstr /I gateway
   Default Gateway . . . . . . . . . : 192.168.200.1

C:\WINDOWS\system32>ipconfig  | findstr /I mask
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.2         74-83-xx-xx-xx-xx     dynamic
  192.168.200.37        00-0c-xx-xx-xx-xx     dynamic
  192.168.200.100       bc-8c-xx-xx-xx-xx     dynamic
  192.168.200.205       c8-3a-xx-xx-xx-xx     dynamic
  192.168.200.209       c8-3a-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static
  239.255.255.250       01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>arp -d *

C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>
C:\WINDOWS\system32>ping 192.168.200.244

Pinging 192.168.200.244 with 32 bytes of data:
Control-C
^C
C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.37        00-0c-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>ping 192.168.200.7

Pinging 192.168.200.7 with 32 bytes of data:
Reply from 192.168.200.7: bytes=32 time=3ms TTL=64

Ping statistics for 192.168.200.7:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 3ms, Average = 3ms
Control-C
^C
C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.7         b4-fb-xx-xx-xx-xx     dynamic
  192.168.200.37        00-0c-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>
edit flag offensive delete link more

Comments

Thanks so much for the answer! Much appreciated!

networkingisfun gravatar imagenetworkingisfun ( 2021-06-07 16:22:00 +0000 )edit
0

answered 2021-06-08 06:57:24 +0000

BigFatCat gravatar image

This is same for clients, servers, routers, etc. An ARP request is sent when there isn't an ARP entry for the destination address. The destination address is in the same subnet as the local interface. The exception is multicast because it uses a special MAC because it is not assigned to any device.

An example if your PC address is 192.168.1.2 subnet mask 255.255.255.0, gateway 192.168.1.1. The PC will check its ARP table for any traffic with the destination address in the range 192.168.1.0 - 192.168.1.254 excluding 192.168.1.2. The address 192.168.1.255 is broadcast and it is assigns ff:ff:ff:ff:ff:ff.

If the user was to try to ping 192.168.1.5, the PC checks the ARP table for 192.168.1.5. If it finds an entry, it uses the entry as the destination MAC. If there isn't an ARP entry, it must send ARP request. If it doesn't receive an ARP reply, the application will timeout.

If the user was to try to ping 8.8.8.8, the PC checks for an ARP entry for the gateway 192.168.1.1 (this is from my example). The destination mac address for 8.8,8,8 will be the MAC address for 192.168.1.1.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-06-07 15:05:51 +0000

Seen: 64 times

Last updated: Jun 08