ARP Storming???
I am relatively new to Wireshark, recently accepted a new IT position, network seems a bit slow so I did a couple packet captures. I am seeing about 160 ARPs each second, The "TELL" is to our Domain Controller's IP and the source is the DC's ethernet MAC, but the "Who has" IPs are various subnets that we do not use or have devices configured on. Here's a sample of the packet capture. Any ideas or information would be helpful, just not sure where to start looking.
1 0.000000 0.000000 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.225? Tell 192.168.xx.xx
2 0.000863 0.000863 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.226? Tell 192.168.xx.xx
3 0.001597 0.000734 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.227? Tell 192.168.xx.xx
4 0.002253 0.000656 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.228? Tell 192.168.xx.xx
5 0.002920 0.000667 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.229? Tell 192.168.xx.xx
6 0.114876 0.111956 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.230? Tell 192.168.xx.xx
7 0.115710 0.000834 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.231? Tell 192.168.xx.xx
8 0.116356 0.000646 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.232? Tell 192.168.xx.xx
9 0.1169xx 0.000619 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.233? Tell 192.168.xx.xx
10 0.117628 0.000653 IntelCor_df:c2:xx Broadcast ARP 60 Who has 192.168.74.234? Tell 192.168.xx.xx