This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ARP Broadcast

0

My main router (66.xxx.xx.x) is sending an arp broadcast to every ip address on my network (66.xxx.xx.1-256) and it repeats this process three times in a second. When the router sends the arp broadcast and repeats three times in a second it throws an alarm stating a possible broadcast storm in a piece of equipment attached to the network. Is it normal for a router to send an arp broadcast to every ip three times in a row in one second? And could this be some type of broadcast storm? Any suggestions on how to stop this from happening would be great. Thanks

asked 08 Jan '16, 12:27

austinh's gravatar image

austinh
6112
accept rate: 0%

Is it normal for a router to send an arp broadcast to every ip three times in a row in one second?

I do know one particular type of routing equipment which is cyclically sending arp requests to all individual IPs in the subnet on purpose, but not as frequently as 3 times per second per IP. The declared purpose in that case is to avoid waiting for an arp response when a "real" packet for that IP arrives and needs to be sent.

But what I do not like about your situation is that the same equipment which sends the arp requests is claiming that there are too many of them.

Could you please clarify whether

  • the router behaves like this all the time or only from time to time,

  • the target subnet is 66.xxx.xx.0/24 (i.e. 253 addresses plus network address (.0) plus broadcast address (.255) plus router(.1)

?

If there is an external cause of that, Wireshark can help you identify it, provided that you can capture at all interfaces of the router.

But if the arp requests are really sent so frequently also to IP addresses which respond to them, I'm afraid that the root cause is internal to the router and you'll have to claim the issue with its manufacturer.

(08 Jan '16, 16:40) sindy

The router behaves like this from time to time. Some days the event occurs multiple times and some days it does not occur at all. The router has an ip of 66.xxx.xx.1 and the rest of the ip's are from 66.xxx.xx.2-254 plus the broadcast address of 66.xxx.xx.255.

(09 Jan '16, 08:34) austinh

OK, and what about the arp responses from the IPs in the subnet? I mean, how many of the 253 IPs are actually in use, do they respond to the arp requests, and do the arp requests come 3 times per second also to the IPs which respond them?

(09 Jan '16, 08:45) sindy

One Answer:

0

Is it normal for a router to send an arp broadcast to every ip three times in a row in one second?

it depends. If somebody sends packets to the router with a destination of 66.x.x.0-255 then router has to send ARP requests to be able to forward the frames at L2. If that's the case, then somebody might scan your network (from behind the router), which will cause the ARP "storm".

Another reason could be a buggy router firmware, or somebody on the network is sending the ARPs with the MAC address of the router (for whatever reason). Hard to tell, without more insight into your network infrastructure.

Regards
Kurt

answered 08 Jan '16, 15:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Jan '16, 11:52

@Kurt Knochner, I dare to disagree with

If somebody sends packets to the router with a destination of 66.x.x.0-255 then router has to send ARP requests to be able to forward the frames at L2

as the root cause of 3 arp requests per second.

Yes, the first packet for a given dst IP after a long period of time (the lifetime of an arp cache record) causes an arp request to be sent, but if it gets responded, the router doesn't need to send further arp requests to the same IP until the record in the cache expires again, which should normally not happen in 1/3 second, as the arp cache lifetime is usually units or tens of seconds.

So what you wrote is true if the packets from outside are coming with a dst IP which is not assigned in the target subnet, but not if such IP is assigned and responds to arp requests. I think we need @austinh's clarification as the .1-.256 range may be a typo or may mean that the subnet is really larger than 256 addresses and only the lowest 256 ones are affected.

(08 Jan '16, 16:25) sindy

So what you wrote is true if the packets from outside are coming with a dst IP which is not assigned in the target subnet, but not if such IP is assigned and responds to arp requests.

I know. As the OP did not tell anything about local clients answering the ARP requests or not, both my and your assumption is only speculation. So let's wait until the OP adds more information ;-)

(09 Jan '16, 05:13) Kurt Knochner ♦

The router behaves like this from time to time. Some days the event occurs multiple times and some days it does not occur at all.

So, either it's the router itself who is sending the ARP requests (bug, or an external trigger as I mentioned), or in internal system is simply using the MAC address of the router to send the requests (for whatever reason). A managed switch will tell you on which port it sees the MAC address of the router. If it's only on the port where the router is physically connected, it's the router who is sending the ARP requests. If the switch reports that MAC address on another port as well, it's another system on your network that is "faking" the router MAC.

(09 Jan '16, 11:43) Kurt Knochner ♦