This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ARP Broadcast frequency

0

So, 192.168.1.204 device is broadcasting, "Who has 192.168.1.10? Tell 192.168.1.204"

I understand this.

I see no packet where 192.168.1.10 returns to 192.168.1.204

I understand that it night be directly to 192.168.1.204; and I might not see it.

But why does 192.168.1.204 ask so many times?

Seem like 192.168.1.10 is either not answering or 192.168.1.204 is sending way to many requests.

Any suggestions?

asked 15 Feb '17, 15:49

dcalcutt's gravatar image

dcalcutt
6223
accept rate: 0%

edited 16 Feb '17, 10:47

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118

What is "so many times"? ARP cache will time out so it will ask every time it doesn't have it in its cache.

Also, if it is extremely rapid, are you certain the response is making it back to the requester or if the requested host is in fact replying?

(15 Feb '17, 17:07) Rooster_50

alt text

(16 Feb '17, 15:19) dcalcutt

2 Answers:

1

But why does 192.168.1.204 ask so many times?

Because it wants to send a packet to 192.168.1.10, and therefore needs to know its MAC address, but, for whatever reason, 192.168.1.10 isn't responding with its MAC address, and neither is any other device on that LAN segment, so it keeps trying in the hopes that eventually somebody will respond.

That's how ARP works.

I suggest you figure out what's wrong with 192.168.1.10. If what's wrong with it is that it doesn't exist any more, you need to figure out why 192.168.1.204 is trying to send it packets and fix that.

answered 15 Feb '17, 17:11

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Its only occurring for the IP cameras and the DVR that goes with it.

Same manufacturer, so I'm guessing its the cameras.

(16 Feb '17, 04:49) dcalcutt

I'm assuming that wireshark and only see general packets, as well as packet for the computer I'm using, 192.168.1.148

Am I correct that if a packet was sent directly from 192.168.1.10 to 192.168.1.204 I would not see it?

(16 Feb '17, 15:14) dcalcutt

What you see on an Ethernet network depends on how the network is constructed.

If all the hosts on the Ethernet segment are plugged into a real hub, then, if you're capturing in promiscuous mode, you should be able to see all traffic on the network, whether it's being sent to or from the machine doing the capture or not. If you're not capturing in promiscuous mode, you'll see only broadcast traffic, multicast traffic, traffic sent to the machine doing the capturing, and traffic coming from the machine doing the capturing.

If they hosts are plugged into a switch, then, unless the host doing the capturing is plugged into a "mirror port" or "SPAN port" or whatever it's called on the switch in question, whether you're capturing in promiscuous mode or not, you'll see only broadcast traffic, multicast traffic, traffic sent to the machine doing the capturing, and traffic coming from the machine doing the capturing. Only if you capture in promiscuous mode on a mirror/SPAN/whatever port will you see all traffic.

Not all switches support mirror/SPAN/whatever ports. Many devices such as DSL and cable modems, Wi-Fi routers, and even some "hubs" ("switching hubs") are, in fact, switches.

(16 Feb '17, 22:32) Guy Harris ♦♦

0

The ARP requests are send with a frequency of 1 per second. This is usually an indicator, that the ARP request was never answered.

You might want to check the configuration, if 192.168.1.10 is referenced somewhere as DVR, gateway, DNS server, time server or somewhere else in the configuration. Please note, that certain parameters might be set a DHCP server.

To understand the situation you need a trace file from the point of view of 192.168.1.204. As Guy Harris pointed out, this requires a hub or a SPAN port.

Good hunting

answered 17 Feb '17, 11:30

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Well the computer I'm using to capture the packets, is on a switch.

I'm going to run the Ethernet to the router to see if that makes a difference.

(10 Mar '17, 16:44) dcalcutt

WEll, that made no difference.

I even tried making my computer the same IP address as the router, just to see what would happen. But I got nothing interesting.

I just want to know if the router is responding to all the request for the MAC addesses

(10 Mar '17, 17:09) dcalcutt