I am new to Wireshark. I keep getting this request from my Windows 7 Ethernet Adapter to the router. When running Wireshark, I filter eth.type == 0x0806, I see the following. Number - 37932 Time - 17:16:41.240610 Source - AsustekC_f5:9d:a0 Destination - Broadcast Protocol - ARP Length - 42 The IP address is my laptop. When the laptop is on, it is identified by mac address. When it is off, this request keeps asking who has this address. This does not happen to the other devices (laptop or printers) on my network when they are turned off. Any ideas on why this is happening? Thanks asked 02 Aug '11, 15:28  Rattlesnake edited 02 Aug '11, 15:29 |
2 Answers:
What you see are ARP requests, meaning that a device (in this case with the MAC adress AsustekC_f5:9d:a0 and the IP address 192.168.1.100) wants to know a MAC address for another IP, in this case 192.168.1.102. Network frames on ethernet networks need to be delivered to MAC addresses, and since the node with IP 192.168.1.100 wants to talk to 192.168.1.102 it needs to find out which MAC address the node with IP 192.168.1.100 actually has. This information is discarded every once in a while and a new question is send, in case the ethernet address (MAC) for the IP has changed in the meantime. You should see ARP requests (ethertype 0x0806) like that for all IPs your PC is talking to and that it doesn't already know. If a device is turned of you might still see ARP requests for its IP address. You can check your ARP cache on the command line using the command "arp -a", and clear it using "arp -d". On Windows 7 you might need elevated user rights to clear the arp cache though (meaning, you need to start the command line "as administrator"). answered 02 Aug '11, 16:50  Jasper ♦♦ |
When you see ARP requests for an IP address which belongs to a system (your laptop in this case) that has been switched off, this means someone in the network still wants to communicate to the system that is switches off. It could be that there were still open file shares or TCP connections to it when the system was taken of the network. Or maybe you have enabled some port forwarding rules on your router and someone from the Internet is trying to connect to one of the forwarded ports. Have a look on the system that is arping to see what could be the reason. Also, when turning the system back on, you will see what kind of communication follows the ARP process, then you know what kind of traffic was causing the system to ARP. answered 03 Aug '11, 01:15  SYN-bit ♦♦ |
I looked into what has been going on and found that someone had at one time had an HP printer directly hooked up to a wireless router. When the desktop was looking for a printer, the HP was available and was connected at IP address 192.168.1.102. This information was stored into the registry on the desktop. The printer was taken from the desktop and another laptop was added to the network at the same IP address. This was not known at the time of installation. We began to get weird responses on the laptop. We installed Wireshark and then we found that the network adapter on our desktop was broadcasting who is at IP address 192.168.1.102. I used the arp –a and –d commands as administrator. The problem when away for a week, but we kept being broadcast on another printer that was installed this week. It appears that our network is being spoofed. Any ideas on what software that can be used to detect what is going on.
Thanks
FYI I converted your answer to a comment.
Seems to me you might have trouble with duplicate IP addresses if I understand the setup correctly: if the printer was once hosted at the router and had the IP 192.168.1.102 the router might still be configured with that IP. The Desktop has the same IP, so that could be a problem. I'd check the router config to make sure this is not the case.
And I doubt the network is being spoofed, it is much more common to have some sort of a misconfiguration that is the reason for trouble. Keep in mind: ARP requests are broadcasts, ARP replies are unicast.