This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Network Crash

0

My local network keeps crashing during the night and I am having to reboot my vpn server every morning. I heard about this wireshark and decided to install it and capture data from my local network and while the network is down this is what I am getting:

11 06:34:10.245845000 IntelCor_3a:e9:9f Broadcast ARP 42 who has 00.000.00.000? Tell 11.111.11.11

This is the only item that is being captured so I have pages and pages of this exact same message.

I have entered zero's and one's for the ip address so that I can keep our IP address private. Can someone tell me what could possible be wrong. Have been working on this issue for almost three weeks and I am going nuts trying to figure this out.

Thanks Tony

asked 11 Sep '15, 06:22

tonyc's gravatar image

tonyc
6112
accept rate: 0%

Not much to go on. Is the real "has" IP relevant to your systems?

(11 Sep '15, 06:40) grahamb ♦

Hello grahamb

Yes the real IP address is for our main system (basically our main frame) and the "tell" is my vpn server which provides internet to all pc's locally and allows other vpn servers (satalite locations) to dial in and have access to the main frame as well across the vpn. The switches that I use locally are all unmanaged.

(11 Sep '15, 07:06) tonyc

Do you have any filtering on your captures? That message is a broadcast, so I suspect other traffic, including the non-broadcast response, isn't being captured.

Note that for long-term captures, you should really use dumpcap from the command line, Wireshark (and tshark) will run out of memory due to the state they keep.

(11 Sep '15, 07:45) grahamb ♦

There is no filtering on the capture. This is the only message that keeps coming up in Wireshark and nothing else, no answer from the "has" at all, the network just keeps asking and asking and asking.

(11 Sep '15, 08:31) tonyc

Then something is preventing you capturing all the traffic. On which host or switch are you capturing?

(11 Sep '15, 08:39) grahamb ♦

Run a packet capture on the vpn server and also check the arp table. Do it for a working and a non working state.

(12 Sep '15, 05:23) Roland
showing 5 of 6 show 1 more comments