This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ARP request with invalid target MAC address

0

I have a network capture that has excessive ARP traffic in it. It averages 150 to 250 ARP requests per second. The requests are cycling through all of the addresses on the subnet (255.255.254.0) in a random order.

The Ethernet II data shows the destination as a broadcast but the ARP details show the target as a specific invalid MAC address instead of all zeros. All of the packets are to one of about 10 different invalid target MAC addresses regardless of the target IP address.

I would appreciate any information or reference material. I could only find information related to ARP responses with an invalid MAC.

Is this normal operation for some hardware?
Is this a hardware malfunction?
Is this a deliberate attack?

No. Time Source Destination Protocol Length Info
12 0.003992 Procurve f4:4f:00 Broadcast ARP 60 Who has 192.168.248.12
Frame 12: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Procurve_f4:4f:00 (00:1f:fe:f4:4f:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
[Is gratuitous: False]
Sender MAC address: Procurve_f4:4f:00 (00:1f:fe:f4:4f:00)
Sender IP address: 192.168.248.1 (192.168.248.1)
Target MAC address: 06:0b:2b:06:01:02 (06:0b:2b:06:01:02)
Target IP address: 192.168.248.127 (192.168.248.127)

asked 05 Aug '11, 11:47

Vicbug643839032's gravatar image

Vicbug643839032
1111
accept rate: 0%

One Answer:

1

Excessive ARP requests on the magnitude that you observe are usually a sign of bad news.

Within certain intervals an ARP sweep may be caused a few regular tasks, for example:

  • Network management / inventory system
  • DHCP Server scanning for available aderesses

This is usually a "one and done" pattern.

The target MAC address for an ARP request is set to zero for many IP implementations. However, certain systems don't zero the transmit buffers and send out some slag. Other systems put there the address that is already in their buffer when they confirm the validity of the ARP cache.

I am somewhat riddled by the Procurve source address:

  • If this is a layer 2 switch the ARP sweep could be caused by a funky configuration (like SNMP trap destination) or a firmware bug.
  • If this is a layer 3 switch you have to work your way outward to see the root cause for the ARP request.

What happens after the switch receives an ARP response? Do you see any packets send to the target system?

Good hunting!

answered 05 Aug '11, 12:05

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%