This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ARP Question

0

I am a novice wireshark user. I noticed yesterday while trying to solve an unrelated problem that ARP requests appeared to be a majority of the traffic on our network. After letting wireshark run for a while, it was nearly 60%. As I looked closer, it appears that our router is sending ARP packets to IP addresses that don't even exist on our network at least every second. One specific IP address that is not in use on our network (could have been at one time with DHCP an all), totaled up almost 5000 ARP requests in about an hour. Is this normal ARP behavior?

asked 02 Mar '11, 12:01

InTheCloud's gravatar image

InTheCloud
1111
accept rate: 0%


3 Answers:

3

It is normal to see a pretty high ARP request count if you just capture traffic passively without the use of a SPAN/Mirror Port or any other capture method, because you'll mostly see broadcast traffic (which includes ARP messages).

The one thing worth investigating might be the fact that there are ARP requests for non-existent IP addresses in your network (even though this is pretty common in most networks; you already mentioned DHCP being a reason for it). Maybe someone is running a network scan, or there is a misconfiguration somewhere pointing to that IP address. ARP requests are used to find MAC (hardware) addresses to be able to send IP packets to the correct network card of the receiving node. If you see ARP requests for an IP that should not exists you might want to find out why and who triggers the ARP. This can be a time consuming process because you need to find the origin of the IP packet that resulted in the ARP request. Routers often ARP for IPs without being the sender of the IP packet that triggered the ARP request, so you need to find out what station does.

answered 02 Mar '11, 14:42

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 02 Mar '11, 14:43

1

I had this same issue at my home network. I checked out the router and noticed noticed in the DHCP client list there was a device listed with that IP, but that device was turned off and had been for some time. After some further investigation I noticed that the DHCP lease time was set to "forever", causing this device to remain in the client list, therefore the router continued to send ARP requests to a non existent PC. I changed the lease time to two weeks then refreshed the client list, the device was no longer listed. Ran another packet capture and the ARP requests no longer appeared.

answered 31 Jan '13, 18:46

kidicarus81's gravatar image

kidicarus81
161
accept rate: 0%

0

As was previously stated, you do see a lot of arps. One reason is that you may not be seeing all of the traffic on your network, but you are seeing all of the arps. If that truly becomes an issue, there are some ways to mitigate them. One way is to break the network into smaller broadcast domains. Another would be to use private vlans to limit connectivity between workstations.

answered 03 Mar '11, 10:04

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%