Wireshark-users: Re: [Wireshark-users] Why are there a lot of ARP traffic in anetwork?

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Wed, 22 Jul 2009 21:15:32 +0200
There is always a risk in saying something like that. 20% of arp traffic on a switch port with lots of traffic is worrysome, but 80% of arp traffic on a switch port where almost no application data is present is totally normal. Lets go at it another way....
 
I assume for a moment that all the computers are XP. Let's see what the maximum amount of arp requests in the broadcast domain could become. XP flushes idle arp entries after 2 minutes and active arp entries after 10 minutes. So in theory, if all systems have the nasty habit of sending each other a packet after 120 seconds so that the entry is already flushed, then we would have the maximum amount of arp traffic. So, 200 systems arping all 199 other systems every 120 seconds would result in 200*199/120 = ~332 arp requests/second. So anything above that is definitely something to look in to.
 
More realistically, lets assume there is a gateway to the internet and about 10 servers that the 190 clients communicate with regularly. All servers also communicate with each other and the internet too. That would result in:
 
One router arping every 10 minutes for all 200 hosts
Ten servers arping every 10 minutes for all 200 hosts
190 clients arping every 10 minutes for the router
190 clients arping every 10 minutes for 10 servers
 
All in all (1*200)+(10*200)+(190*1)+(190*10) = 4290 arp requests in 10 minutes, ie about 7 requests/second.
 
So basically, understanding the arp protocol and knowing the timers of your hosts, you can get a ballpark figure to what is a normal rate of arp traffic for your particular network. Examining the arp traffic on your network is a good thing to do. Concentrate on one host at first (filter with arp.src.proto_ipv4 == 192.168.1.46 for example). Then repeat for a few others. Also look at a non-filtered trace and look at the conversations to get an idea of who talks to who. And then you can tell whether the arp traffic on your network is above what you would have expected.
 
Have fun :-)
 
Hope this helps,
Cheers,
    Sake
 
 
----- Original Message -----
Sent: Wednesday, July 22, 2009 5:40 PM
Subject: Re: [Wireshark-users] Why are there a lot of ARP traffic in anetwork?

What is a lot? Arp traffic typically shouldn’t be more then 20% of a typical capture.  Could always reduce your broadcast domain to cut down on the amount of ARP traffic…

 

Adam

 

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Pablo Brozovich
Sent: Wednesday, July 22, 2009 11:23 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Why are there a lot of ARP traffic in a network?

 

There are approximately 200 computers in my work and I want know the reason why are there a lot of ARP traffic in its network?

_______________________________________________________________
El mejor servicio de email de clase mundial ahora en México. Conóce Mail2World.

==============================================================================
This communication, including attachments, is confidential, may be subject to legal privileges, and is intended for the sole use of the addressee. Any use, duplication, disclosure or dissemination of this communication, other than by the addressee, is prohibited. If you have received this communication in error, please notify the sender immediately and delete or destroy this communication and all copies.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe