This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Suspicious ARP activity?

0

I'm kind of new to the world of monitoring network activity and I'm seeing something in my logs that concerns me a little.

One computer, and only one, seems to be sending ARP requests to every single possible IP address ("Who has 192.168.1.1, Who has 192.168.1.2... etc.).

No other machine on this network is doing this. As I cannot fathom any legitimate reason any machine ought to be pinging every possible address, I'm thinking this machine probably has a virus looking to do mischief.

Thoughts?

asked 22 Jan '12, 16:13

Riversiderepeat's gravatar image

Riversiderepeat
1111
accept rate: 0%


2 Answers:

2

If you see ARP packets for a full network range you might have some sort of ping sweep in your network, where a system tries to find out which other IPs are there. There are some legitimate reasons for it, for example if it comes from a network monitoring system. You'll have to identify the source of the ARP requests - you should see a "tell 192.168..." somewhere, which is always the same in Ping Sweeps, and that is the system scanning.

If the source is a system that should NOT do anything like this you might have a problem. Next step is to identify what software is running that may cause this, and evaluate if it really a case of mischief.

answered 22 Jan '12, 17:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

There are some home routers that do this. I have a Netopia router that does an ARP scan of the entire subnet every five minutes. There is no way to turn it off or change the interval, so it's expected behavior in my network.

answered 23 Jan '12, 00:09

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%