ARP packets to public IP addresses

asked 2019-06-14 01:43:16 +0000

INS1 gravatar image

Hello- I recently ran a capture on my LAN. The LAN has only the default VLAN and 2 IP networks, 192.168.10.x/24 and 10.251.114.x/24. Routing between the two IP networks is performed using a static route on a Sonicwall TZ500 firewall.

I have 200+ wireless clients. The clients are magnetic card readers as opposed to end-user devices such as laptops or smartphones. For a small number of the wireless clients - say less than 5% -- I am seeing them attempting to send ARP requests to publicly-routable IP addresses. In other words, IP addresses NOT on my LAN. The IP addresses are destined for different geographic locations in Asia and North America.

My understanding is that ARP is a non-routable, layer-2 broadcast protocol. This tells me that it should operate on my LAN only. I am suspicious of this activity being malware at worst or a poorly designed wireless device at best.


edit retag flag offensive close merge delete


Can you give us some specific examples which ip addresses the strange clients requesting?

Christian_R gravatar imageChristian_R ( 2019-06-16 18:25:37 +0000 )edit