This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ARP Broadcast

0

Hello everyone,

I ran analysis on a pretty complex network so that I could find the reason that all workstations run slowly when connected to the LAN but ran fine when not connected. I plugged directly in to a switch and monitored the network traffic.

Upon analysis I found that one device(server) is consistently sending out ARP Broadcast over the network. It does this at intervals no higher than five seconds and often twice per one second intervals.

Since all machines must listen for this broadcast could this be the culprit in my bogged down network?

asked 08 Nov '11, 06:15

Clover's gravatar image

Clover
1111
accept rate: 0%

One Answer:

2

A good look at ARP packets can sometimes reveal interesting things about your network. One server sending out an ARP request every few seconds is not a big issue.

Here are a few items that I check when looking at ARP packets:

  1. Is a system ARPing for the wrong subnet?
  2. Did all systems get a proper IP address from the DHCP server, or is a system using APIPA addresses?
  3. Are the ARP cache timers consistent with the switches MAC address table?
  4. Is a system sending out unsolicited ARP responses?

Wireshark helps in answering some of these questions. Here are a few helpful display filters:

  1. Say, you are analyzing a network segment where all systems should belong to the subnet 10.1.1.0/24. You can easily spot a misconfigured address mask with arp and not (arp.src.proto_ipv4 == 10.1.1.0/24 and arp.dst.proto_ipv4 == 10.1.1.0/24) This filter should not deliver any packets.

  2. If a system did not get an IP address it will likely use a random address from the network 169.254.0.0/16. So the filter arp.src.proto_ipv4 == 169.254.0.0/16 should result in an empty packet list.

  3. The inconsistent timers can hit you quite hard if a system has more than one NIC. That happens if packets arrive on one interface and are acknowledged with a different MAC source address. The endpoint and conversation statistics show, if one MAC address is constantly receiving traffic, but not sending.

  4. For advanced statistics on IP addresses that are frequently named as source or destination of an ARP address try Edit -> Preferences -> Columns to add two custom columns with the fields arp.src.proto_ipv4 and arp.dst.proto_ipv4 Next apply the display filter arp and export the packet list to a CSV file. A pivot table in Excel works real wonders

Note that the filter in section 1 will show gratuitous ARPs issued by newer Windows systems. A sender IP address of 0.0.0.0 can safely be ignored (and specified in the filter).

Display filters could be shorter and more compact. The spelling here is chosen to make it easy to read and understand.

When just looking at the broadcast packet don't forget to check a couple of extra things:

  • IP broadcast messages, like ICMP echo request or NTP messages to a broadcast address
  • Weird NetBIOS host announcements or Browser messages on UDP ports 137 and 138; especially you don't want to see browser elections
  • Stable spanning tree (Filter stp.flags.tc == 1 sould not deliver any packet)

Good hunting!

answered 08 Nov '11, 08:36

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%