This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

arp gone wild

0

The server goes crazy from time to time with arp who has? tell? packets beyond the range of our network. We use x.x.4-10.x, but the server begins making massive requests at x.x.11.x and running up the range. I have stopped the computer browser service on the server. Any ideas on what is causing this and how to stop it?

asked 14 Jul '14, 08:40

Stringer's gravatar image

Stringer
1112
accept rate: 0%

can you please post the following information

  • OS and OS release
  • ip configuration of that server (ipconfig /all)
  • a sample capture file with those ARP requests on google drive, dropbox or cloudshark.org
(15 Jul '14, 00:39) Kurt Knochner ♦

One Answer:

1

One possible explanation is a misconfigured subnet mask. If the server believes that x.x.11.x is part of its own local subnet, and it wants to reach those IPs, it won't address it to the MAC of its gateway and will instead try to resolve the local MACs with ARP requests.

Can you confirm the subnet mask that is configured, and the intended subnet size? If the range you gave there is meant to represent one whole subnet (x.x.4-10.x), then that would call for a minimal subnet mask length of 20, or 255.255.240.0, which would put x.x.11.x into that same subnet, which would explain the ARPs.

answered 14 Jul '14, 18:35

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 14 Jul '14, 18:45

@Quadratic, I will change the subnet mask and see if it limits the arp requests.

Your attention to this is much appreciated.

(15 Jul '14, 08:30) Stringer

What is the intended subnet mask of this network, and what is it currently on the server? A /20 subnet mask isn't necessarily "wrong" depending on your network design but it would explain why you're seeing the ARPs.

(15 Jul '14, 15:06) Quadratic