This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Help with spanning tree and Excessive ARP requests

0

Hi, I am a new to wireshark and have trying to help my uncle with his internet troubles. I have seen Excessive ARP requests which I think its either the switch that cant find the mac address or the printers are auto searching. And the spanning tree im guessing there tracking cookies? not really sure. I would be really grateful if anyone could help me with this problem. I uploaded the test documented.

https://app.box.com/s/r426ixoncpfoyz28t0cv

Thank you

asked 02 Sep '14, 09:47

killmasta93's gravatar image

killmasta93
-1668
accept rate: 0%


One Answer:

0

Spanning tree looks fine to me, no topology change and BPDUs in normal quantities and timings. BTW Spanning tree has nothing to do with cookies - STP is a layer 2 protocol, while cookies are usually at layers above 4.

You've got about 13% ARP in the trace, which is not really good, but not critical either unless it takes away bandwith (which peaks at 2.5MBit/s in your case, so it really doesn't). What you can do is take some of the ARP requests, e.g. when 192.168.1.254 asks for the MAC of 192.168.1.5 (which happens a lot) and find out if that IP exists at all and if the request is answered. For that you need to capture the port of at least one of the hosts that hold those IP addresses.

What exactly is the "internet trouble" of your uncle? A more specific problem description would be helpful.

answered 02 Sep '14, 11:05

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper, Thank you so much for helping me out i really appreciate it. Around last week my uncle changed internet provider to get fiber optics to 20MBit/s download and upload. Since then many workers have complained that accessing a internet page would take forever. So today I thought of flushing the DNS and renewing the ip, which it did the trick. My other question would it be beneficial if i added static ip to the desktop computers? And would you recommend changing the DNS to the OPENDNS settings? And for some of the ARP requests once i found the port should i set it static within the switch? Also what was very odd but not sure if it has to do with the network i found adware webwise tracking cookies which my antivirus caught once i connected though LAN. The cookies were @doubleclick.net,@msnportal.112.207.net, and @orphancleanup. I found those many times in other computers when I started to clean the computers. I checked though google but did not really get a concrete answer if it was the network.

Thank you again for everything

(02 Sep '14, 18:30) killmasta93

Static IPs for desktops have advantages and drawbacks. Advantage is that it is easier to identify which desktop an IP address belongs to, but the disadvantage is that it takes more administrative work to assign and maintain them (which is why desktops usually use DHCP)

You can use OpenDNS if you want, but usually the DNS of the internet provider is the best option because response times are faster than something further away.

You should not map static ARP anywhere, because if something moves from one port to the other it'll be hell to troubleshoot. So any static ARP stuff should only happen in really high security environments where changes don't happen often and are well tracked.

Adware cookies are everywhere - if you don't want them, use a cookie manager or tell your browser to forget them when you close it.

(03 Sep '14, 01:49) Jasper ♦♦

Hi, Thank you again for helping me to understand.

(06 Sep '14, 11:49) killmasta93