Wireshark-users: Re: [Wireshark-users] Why are there a lot of ARP traffic inanetwork?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Phillips, Christopher M" <cmphil@xxxxxxxxxxx>
Date: Mon, 27 Jul 2009 10:25:59 +0100

Problems to look out for are arp requests for the lots sequential ip addresses (or just lots of local ips that don’t get replies). I find on my network this is a dead give away for some hosts have viruses which are trying to spread.  More clever ones try to randomise the arps a bit but I have scripts to check for say if a host arps for 150 local ip addresses that don’t exist mark them as doing something dodgy.

 

Also if you interested in arp related things on the network its worth googling “arp poisoning”.  Lots of good info.

 

If you want to go the static arp route be aware Vista does not obey information inputted using the standard arp command (even though it won’t actually complain).

 

Most arp traffic I see on standard idling windows boxes are generated by samba, UPNP (disable this where you can!), and bonjour, Apple’s equiv to upnp.

 

-Chris

 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of John Martin [john.martin@xxxxxxxxx]
Sent: 23 July 2009 16:49
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Why are there a lot of ARP traffic inanetwork?

 

Learn to love the arp command’s –s switch and start entering static arp entries. And while you’re at it, use static IP addresses and get rid of those pesky DHCP broadcasts. ;-)

 

Seriously though, it only looks like a lot.  If you were to set up a network monitoring station running something like NTOP, you’d see that as a percentage of total traffic and bandwidth, the ARP broadcasts would not be significant.  ARP packets are small and are ignored by every machine unless they’re the machine that needs to respond.  Take a look at the requesting stations.  On my network the big ARP broadcasters tend to be domain controllers, files and print servers, and routers.  I wouldn’t be surprised if that’s what you found.  Just about everyone who’s started using a traffic analyzer has been surprised by the number of broadcasts on their networks. 

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Pablo Brozovich
Sent: Thursday, July 23, 2009 9:33 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Why are there a lot of ARP traffic inanetwork?

 

I am looking at a 200-second trace with 10,511 packets, in this case there are 7,720 ARP packets (73.45%). Can I take it easy? What can I do to reduce those ARP packets in the network's traffic?

<-----Original Message----->
From: Ian Schorr [wireshark-users@xxxxxxxxxxxxx]

Sent: 22/7/2009 6:22:22 PM

To: Community support list for Wireshark

Subject: Re: [Wireshark-users] Why are there a lot of ARP traffic inanetwork?


I've found people (especially those that don't analyze traffic often) frequently misinterpret traffic volumes during idle periods.

I've had people tell me "it looks like the network is suddenly flooded with broadcasts", to find that they were simply looking at a capture of a time where not much was happening. 


For example, they might be looking at a 100-second trace where the host they were monitoring was busy, then relatively idle for a 90 second period, then busy again.  As they browse through a packet list, they'd see that the first 4,000 packets might be primarily host-specific data, then the next 4,000 primarily ARPs and CDP packets and BPDUs and things, and then host data again.  So "obviously" there's suddenly a period where there are a "lot" of broadcasts.  But they don't notice that the deltas between each packet has changed, and so even though the packet list suddenly shifted to being mostly broadcast traffic, the RATE of ARPs and things didn't change.  But psychologically they just don't see it that way - they just see that suddenly the percentage of broadcast packets is suddenly different.  It's pretty common, partly a result of the way the packet list is presented.  I do it sometimes myself.


All I'm saying is that when you say "a lot of ARP" traffic, is it really "a lot"?  Or do you just see MOSTLY ARP (and maybe other broadcast) traffic because there's not much else going on the network segment you're monitoring?  How many ARPs do you see per second? 

_______________________________________________________________
El mejor servicio de email de clase mundial ahora en México. Conóce Mail2World.