Why so much ARP traffic?

[Jeanette]

I recently reinstalled windows 2000 server and workstation on my
network, in a workgroup, on an older P3 Server and workstation to
function as file and print servers.

After they installed I noticed a lot of traffic on the network. I did a
packet sniff to see what it all was and I found a ton of ARP traffic
from both machines.

Each was a request from every possible IP address on my subnet.

Each one was asking each IP for a reply.

Is there anyway to cut down this traffic? If so what would be the best way?

Thanks

Jeanette

 

[Kurt]

I recently reinstalled windows 2000 server and workstation on my
network, in a workgroup, on an older P3 Server and workstation to
function as file and print servers.

After they installed I noticed a lot of traffic on the network. I did a
packet sniff to see what it all was and I found a ton of ARP traffic
from both machines.

Each was a request from every possible IP address on my subnet.

Each one was asking each IP for a reply.

Is there anyway to cut down this traffic? If so what would be the best
way?

Thanks

Jeanette

It only happens once, doesn't it? Whenever I bring a new server on-line
for the first time it sets off alarms, probably because sequential ARPs
are interpreted as a precursor to some kind of attack (I've never
bothered sniffing it because it happens every time). I believe it also
attempts some snmp discovery. Under normal situations, ARPs should only
happen when an IP address that's not in the local ARP cache is being
contacted. If it is persistent, try killing processes in task manager
until you find the offending one.

....kurt

 

[Phillip Windell]

It only happens once, doesn't it? Whenever I bring a new server on-line
for the first time it sets off alarms, probably because sequential ARPs
are interpreted as a precursor to some kind of attack (I've never bothered
sniffing it because it happens every time). I believe it also attempts
some snmp discovery. Under normal situations, ARPs should only happen when
an IP address that's not in the local ARP cache is being contacted. If it
is persistent, try killing processes in task manager until you find the
offending one.

ARP caches have a short life span,..so as far as I know it is very common,
and normal, to see lots and lots of ARP requests all the time.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

 

[Jeanette]

ARP caches have a short life span,..so as far as I know it is very common,
and normal, to see lots and lots of ARP requests all the time.

Seems to be continuous. Each address being asked to respond and there
are hundreds of possible addresses.

So this is normal and I should not worry about all this traffic?

Jeanette

 

[Kurt]

Jeanette wrote:
Seems to be continuous. Each address being asked to respond and there
are hundreds of possible addresses.

So this is normal and I should not worry about all this traffic?

Jeanette

As Phillip points out, ARP caches are short-lived (maybe a minute or
so), so it's not unusual to have lots of ARPs for real, existing hosts
that a computer is legitimately trying to contact. It IS unusual to have
a succession of ARPs for every possible IP address in the subnet
occurring over and over again. If these weren't clean installs, I would
suspect a virus. This is typical of malware attempting to locate every
single host on a network so it can do it's dastardly deed. Since these
are clean installs, you need to identify the process then google
possible causes / solutions.

....kurt

 

[Phillip Windell]

Seems to be continuous. Each address being asked to respond and there are
hundreds of possible addresses.

So this is normal and I should not worry about all this traffic?

I wouldn't.
If you're looking for a BoogyMan, this isn't it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

 

[Jeanette]

I wouldn't.
If you're looking for a BoogyMan, this isn't it.

There is no virus. I have checked for that. Both are new clean installs.

Is there anyway to set the arp requests so they don't check every pc
possible address on the subnet?

Jeanette

 

[Phillip Windell]

There is no virus. I have checked for that. Both are new clean installs.

Is there anyway to set the arp requests so they don't check every pc
possible address on the subnet?

Since Ethernet functions by broadcasts,..and broadcasts are received by
every machine,...and also sent by everymachine at some point,...sooner or
later every machine has to have a valid ARP entry for every machine on the
LAN at some point in time,...so why do you want to "break" that?

In all honesty, just put away the network sniffer and forget about it. Use
the sniffer when you actually have a specific, verifiable, problem to
solve,...using it to just stare at to see what is there usually only causes
people to see black helicopters and flying saucers and think there is a
hacker under every rock.

Ethernet has a *massive* overhead. It is a system based on "contention" with
the primary method of "broadcasting" and the more a person knows about it
the more you realise that it is a wonder that it even actually works at all.
That's why you shouldn't have more than 250-300 hosts per segment which
causes the number of broadcasts to eat up too much of the bandwidth
percentage. But it is what it is, and that's the way it is, and that's the
way it will always be until some other new technology replaces it in the
traditional LAN.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

 

[Jeanette]

Since Ethernet functions by broadcasts,..and broadcasts are received by
every machine,...and also sent by everymachine at some point,...sooner or
later every machine has to have a valid ARP entry for every machine on the
LAN at some point in time,...so why do you want to "break" that?

In all honesty, just put away the network sniffer and forget about it. Use
the sniffer when you actually have a specific, verifiable, problem to
solve,...using it to just stare at to see what is there usually only causes
people to see black helicopters and flying saucers and think there is a
hacker under every rock.

Ok I was having a problem thats why I was doing the sniffing in the
first place sometimes

I was seeing some devices losing connection and having to come back
online. And the only
thing out of the ordinary was the huge amount of arp broadcasts.

Thats why I was asking.

Jeanette



But it seems to not be d

 

[Phillip Windell]

Ok I was having a problem thats why I was doing the sniffing in the first
place sometimes
Ok.

I was seeing some devices losing connection and having to come back
online.

A lot of times that is a hardware issue. Maybe bad cables, too long of
cables, cables getting interference from the local environment. Also maybe
bad switches/hubs or bad individual ports on switches/hubs.

There is also firmware on the hardware. For example, I've had broadband
devices (Linksys in my case) that performed erratic until the firmware was
flashed with newer versions.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------