This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is normal ARP percentage in the Protocol Hierarchy Statistics?

0

I have captured around 30,000 packets and am looking at the ARP statistics and noticed that the ARP traffic seems a little high. What percentage should it be?

Thanks.

asked 05 Jul '12, 14:59

Gump3rs's gravatar image

Gump3rs
1111
accept rate: 0%

what exactly is "a little high" and how many devices are there on the network?

(06 Jul '12, 01:01) Kurt Knochner ♦

One Answer:

3

The answer is not as simple as "What percentage should it be?" For example, over a one-minute period, I captured 905 packets on my workstation, of which 681 were ARP requests. That's 75% of the total. However, my computer was idle at the time so during that time period, there were only 61 packets to/from my computer. There were 793 broadcasts of one sort or another, including the ARPs.

This is a switched network, so I see all the ARP requests, because they are broadcasts, but I don't see non-broadcast traffic to/from other systems, so I have no idea what percentage of total network traffic the ARPs constitute.

During another one-minute period when I was actively opening and refreshing web pages, I captured 4,510 packets, of which 716 were ARPs. Even though there were 5% more ARPs this time, because the link was much more active, they constituted only 16% of the total traffic.

So, rather than what percentage of total traffic the ARPs are, a better questions is: Is the absolute level of ARP traffic on your network so high that it's causing a problem? That's unlikely. ARP traffic is rarely so high that it causes network congestion. However, note that Wireshark does have the capability to detect ARP request storms, so you might want to make sure that's enabled and possibly tinker with the values. The default setting is to detect 30 or more ARP requests in 100 ms or less as an ARP request storm.

To get a feel for what constitutes the range of "normal" ARP levels, capture traffic in as many different locations/networks/times as you can. If performance on those networks is acceptable, then ARP levels are acceptable as well. If performance on those networks is not acceptable, something is wrong, although it is likely something other than excessive ARPs.

answered 05 Jul '12, 16:12

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 05 Jul '12, 18:40