Hi guys, i am totally new here and totally new also in wireshark. just trying Things after the Installation and seeing the following: my pc (well, i assume it is mine because of the Name in the source culomn) is sending a request per arp protocoll (Destination = broadcast) who has (one of the range of my ip addresses) e.g. 1.222.333.1? and answering this request: Tell 1.222.333.102. The answer is being repeated to a wide range of ip addresses (difference after the last dot). I am just asking why is it Happening?
I just add the following (who knows maybe relevant somehow): i am using another tool named wireless Network watcher. there i saw few days ago and since then a while again and again my router twice (but with different Network Adapter Company) and my pc twice or three times (with different Network Adapter Company) and the pc of my girlfriend twice (with different Network Adapter Company). Until few days ago when i changed some configuration in the router i saw those active simultaneously, now one active respectively, but others also in the list. so: one of those "my pc"s is sending the message mentioned above.
asked 19 Oct '17, 11:49
Your understanding is not fully correct. The ARP packet above asks everyone in the subnet (hence the broadcast address) whether they do not happen to have the given IP address (1.222.333.1 in your example, note that 333 wouldn't fit in real life), but the "tell 1.222.333.102" is not an answer to that question - the recipient of that ARP request learns from this field the translation between IP and MAC address of the sender of the request.
The response (or "answer") itself should be found in the capture several packets later, saying "1.222.333.1 is at xx:xx:xx:xx:xx:xx", and it is not sent to broadcast MAC address but to an individual (unicast) one.
Before sending an IP packet to any IP address for the first time after a long pause, using any point-to-multipoint environment, the sender needs to translate the IP address of the recipient to a MAC address. This is what ARP protocol is used for. If the destination is outside own subnet of the sender, the ARP request asks for the MAC address of a gateway element.
The mapping between a given IP address and a MAC address is normally considered dynamic, so if the communication with a given IP doesn't happen for several tens of seconds, the mapping times out and has to be obtained again using ARP protocol when it needs to be commenced.
So management summary - what you see is a normal behaviour. What would not be normal would be if you could see only ARP requests and nothing else - in that case something would be wrong with your capturing setup, as ARP requests are only sent when some other packet needs to be sent.
answered 21 Oct '17, 08:02
edited 21 Oct '17, 08:02