I ran a Wireshark trace on my Windows 7 machine with a LAN IP 192.168.3.100. I saw a lot of ARP requests like 'Who has 192.168.1.165? Tell 192.168.3.9', etc. with different IPs which are not my machine's IP. What is going on? Good/Bad.? Do you propose any changes to my network? asked 17 Feb '15, 07:57  Vinee |
One Answer:
ARP comes up in many variations, most good, some bad. It's primary use is to find the MAC address of the host handling the IP address. This could be to see where to address the Ethernet frame on the network, or to check if any host is indeed using this IP address. This last one can be used by a DHCP server to check for address collisions, or to check the alive status of a host on the network, to see if an IP address has become available again. It may be that a computer (eg. laptop in suspend) wakes up connected to your network and tries to reestablish contact with a host from the previously connected network. If it falls in the same (private) IP network range, it tries to ARP for it's MAC address (which has been forgotten). It could be used for a network scan to see which (IP-)hosts are present on the network. This could be used for detection purposes, or a scan by a malicious program. There's no way to tell from the ARP traffic itself. All in all a (relative) lot of ARP traffic is somewhat common and by itself nothing to be alarmed about. answered 18 Feb '15, 02:36  Jaap ♦ |
Thanks Jaap for the response