Ask Your Question

ARP Delay when pinging a local machine

asked 2018-09-23 22:28:24 +0000

SkyParrillo gravatar image

This problem was presented to me by one of my professors because it only happened after switching from 100Mb cards to Gigabit NICs. The second arp request that comes from the computer being pinged (to send a reply back) doesn't get sent until after the pings have gone through. I decided to do some testing at home with a couple VMs and see if I could find the cause. After clearing the arp cache on both machines (arp -d) and pinging I got the same results as my professor, but I can't seem to figure out why. I did some googling and found someone with a similar issue using linux (I'm using Windows 10), it said something about there being a stale entry within the arp table as well as something called a first probe delay, but I was never able to find any information about either of those things for Windows. Does anyone know why this might be happening?

Example of what I captured with Wireshark

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-09-24 08:25:12 +0000

updated 2018-09-24 08:35:44 +0000

Why do you call it an "issue" or "problem"? I can't see any problem here. It's rather an implementation.

To figure out why it's happening I suspect it's needed to review kernel source code (for Linux) or ask a question on some Windows Developer forum (for Windows). I performed some tests and have found absolutely similar behavior with Windows 7, x64 Centos, ARM 32-Bit Linux with any speeds, no matter 100Mbit/s or 1G.

ARP queries from PC being pinged are directed, so it seems they're aimed to perform some ARP table maintaining.

Check this very informative tread also.

edit flag offensive delete link more


I imagine that the NICs being changed had little to do with it, but was the only thing he had changed in the lab computers before seeing this change. We assumed it would be 2 arp requests at the top so both machines can retrieve the mac address of the other system. So it would go something like:

  1. ARP Request
  2. ARP Reply
  3. ICMP Packet Send
  4. ARP Request
  5. ARP Reply
  6. ICMP Packet Recieved
  7. ICMP Packet Sent
  8. ICMP Packet Recieved

I'm assuming the computer is smarter than that and can do the first 5 packets or so in a single arp request, not sure if a protocol has changed within a windows machine or if it's simply because there was an issue with the previous cards.

I also saw that thread during my googling before posting this question, I was just hoping someone could explain a bit better as to ...(more)

SkyParrillo gravatar imageSkyParrillo ( 2018-09-24 15:19:20 +0000 )edit

Don't forget that PC being pinged does not need to do ARP request at all, it just takes source MAC from incoming ICMP packet (or even before from incoming very first ARP request) and places it in "destination MAC" field of the ARP and later ICMP reply.

This is why I thought about some additional maintaining/verifying process.

Packet_vlad gravatar imagePacket_vlad ( 2018-09-24 17:33:22 +0000 )edit

Did some more tests: Ubuntu 18.04, Debian with Kernel 2.6.32, Mobotix IP camera (Linux based), Kernel 2.6.37, Rubytech Gigabit PoE switch with custom FW, Angstrom Linux ARM.

So, the pattern is quite consistent.

Whereas ESXi 5, Cisco IOS 12 - the pattern was not observed.

Packet_vlad gravatar imagePacket_vlad ( 2018-09-25 09:56:21 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-09-23 22:28:24 +0000

Seen: 451 times

Last updated: Sep 24 '18