This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is this normal ARP for cable service?

0

http://www.cloudshark.org/captures/79e79275d8ce

I sniffed this from a laptop plugged directly into my cable modem.

I get HAMMERED with arp on my cable service. My ISP IT support is not very knowledgeable (did not know what ARP was) and my activity lights are on constant flicker mode. It really makes the lights useless and all the traffic cannot be good for anything.

I read in a few places this could be considered normal or might be due to virus infected machines on my subnet? Is this normal? Can I do anything about it?

Thank you,

asked 08 Jun '12, 15:52

pluribus's gravatar image

pluribus
1446
accept rate: 0%

edited 08 Jun '12, 15:53

PS I have a router running dd-wrt between the modem and my LAN normally but I want to be clear that this traffic is directly from the modem.

When I hook back in the router, the lights on that go insane as well, I assume from dropping all those ARP packets?

Confused, seems really extreme.

(08 Jun '12, 15:56) pluribus

One Answer:

0

Seems pretty normal to me. I have a cable modem as well, and tons of ARP requests on it. As far as I know cable modem providers usually have all (or at least a lot) of their customers in the same broadcast domain, which leads to all the ARPs requests showing up.

You can see in your trace that the query is coming from the .1 IP ("who has xyz, please tell a.b.c.1"). That is usually the default gateway, looking for one of the nodes in the subnet. The replies are unicast frames, which is why you don't see them.

And no, you can't do anything about the requests. The provider could by redesigning his network architecture, but I doubt he will - and I'm not sure it is even possible for cable modem architectures. So all you can do is drop all the unwanted stuff at your firewall/router.

answered 09 Jun '12, 08:25

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%