This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I ran a packet capture on my wired network today. Each floor is separated into a /23 space and we're not even at 50% usage (many users prefer wireless). The capture I ran showed anywhere between 15-75% of total packets were ARP requests.

The source/destination ip's vary, but for example if I filter by one arp destination address, I see one host querying for another every 1.2 seconds or so and making up 0.5% of the total packets captured. Obviously no one is replying to this host, so it is sending out the same ARP query over and over. Other hosts are also querying for the same destination host as well, and there are multiple destinations being queried for. It's not all the same source/destination.

I could enable broadcast storm-control on our switches, but I don't think that would solve the root of the problem, which seems to be that we're seeing so much of this type of traffic. What is strange here is that the hosts being queried for appear to be DHCP clients or standard users, so I'm not sure why other clients are querying for them.

Any thoughts on this traffic, or what could be done to stop it?

asked 13 Jul '16, 16:42

pwz's gravatar image

pwz
11113
accept rate: 0%


Did you use a Monitor/SPAN port, or just captured plugged in into a random port? Because if you do not did not mirror traffic you'll only see broadcast and multicast. That also explains why you see no ARP answers, because they are unicast and you won't see them without a montior/SPAN session.

See this page for more information about how to capture: https://wiki.wireshark.org/CaptureSetup/Ethernet

permanent link

answered 13 Jul '16, 16:45

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 13 Jul '16, 16:47

Hi Jasper,

That is a good point -- I did only capture from a random switch port which captured broadcasts visible, but not unicast arp replies. Still, it is my understanding that arp requests unanswered would prompt another arp request, which is what we are seeing.

Tomorrow I plan to perform a SPAN session with the user who brought the original issue to our attention. I hope to be able to compare their traffic to my own, and potentially find the root cause of the original issue.

Thank you for replying, it is the correct answer for the question I asked and I will mark it as such.

pwz

(13 Jul '16, 19:11) pwz

if you have the SPAN session you should see the ARP answers. If not you need to find out why not (the most common reasons is a wrong subnet mask, meaning that the source node thinks it can reach the destination directly while it can't). If you see the answers you need to find out why they aren't cached.

(14 Jul '16, 01:09) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×205
×78
×9

question asked: 13 Jul '16, 16:42

question was seen: 1,464 times

last updated: 14 Jul '16, 01:09

p​o​w​e​r​e​d by O​S​Q​A