Hello all, I run a sniffer on my busier segments and get arp requests greater than 5 per second all the time. I;m wondering as far as baseling the network that this is the norm or could it be that it is indicating high arps due to this welchia virus that I have been fighting in the last couple of days where I find extreme amounts of icmp ping requests (sometimes as high as 160 per second. I believe we have patched all the virus users but arps are still high. Is there an accepted practice of how many arps you should have say on a 100Mb switched LAN? Thanks in advance.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Arp requests on LAN excessive?? 2
- Thread starter netman42
- Start date
- Thread starter
- #3
Thanks for your response. The arps are coming from all different machines. We don't use an internal DNS, just WINS. This maybe normal on this network as I have not baselined the arp traffic but my sniffer Etherpeek NX gives me an alarm that seems more than usual of arps greater than 5 per second.
-
2
- #4
John Lewis
Programmer
ARP entries are not renewed every 120 seconds. Windows ARP entries expire after 120 seconds of "domancy" by default, but are not renewed unless there is need. DNS has nothing to do with the process -- ARP resolves MAC addresses, DNS deals only with IP resolution.
Any operation that connects to another computer, waits more than two minutes then connects again will make a ARP request. You are likely to see frequent requests from your WINS server, mail clients that are set to check for mail every 5 minutes, networked printers that are used frequently for small jobs, networked database app if there are more than two minutes between transactions -- could be a long list.
In the end, whether or not it is normal will depend upon the type of traffic on your network. If everything works correctly, the average requests per second should not exceed (H*(H-1))/120, where H is the number of hosts on your network, keeping in mind that switches, routers, print servers and just about anything else that is wired to the network counts as a host. It is possible to see a bit more, as a certain number of requests will not get answered on the first request for various reasons. In reality, you should see much less, as each host would have to be waiting just over two minutes then contacting each other host on the network.
Look at your sniffer output, not familiar with Etherpeek but you should see something in the form of 'who has xxx.xxx.xxx.xxx' where the xxx's represent a IP. If you see a lot of queries to a particular host, could be that host is not responding properly. The other part of the ARP should be 'tell xxx.xxx.xxx.xxx'. If you see the same IP there a lot to duplicate hosts in a short time, could be that device is not caching properly. Might need to increase the retire time.
Any operation that connects to another computer, waits more than two minutes then connects again will make a ARP request. You are likely to see frequent requests from your WINS server, mail clients that are set to check for mail every 5 minutes, networked printers that are used frequently for small jobs, networked database app if there are more than two minutes between transactions -- could be a long list.
In the end, whether or not it is normal will depend upon the type of traffic on your network. If everything works correctly, the average requests per second should not exceed (H*(H-1))/120, where H is the number of hosts on your network, keeping in mind that switches, routers, print servers and just about anything else that is wired to the network counts as a host. It is possible to see a bit more, as a certain number of requests will not get answered on the first request for various reasons. In reality, you should see much less, as each host would have to be waiting just over two minutes then contacting each other host on the network.
Look at your sniffer output, not familiar with Etherpeek but you should see something in the form of 'who has xxx.xxx.xxx.xxx' where the xxx's represent a IP. If you see a lot of queries to a particular host, could be that host is not responding properly. The other part of the ARP should be 'tell xxx.xxx.xxx.xxx'. If you see the same IP there a lot to duplicate hosts in a short time, could be that device is not caching properly. Might need to increase the retire time.
- Thread starter
- #5
I have 493 nodes on this segment. (493*492)/120 = 2021 per second. We are not exceeding that by far so I guess I am looking at a false positive on the Etherpeek sniffer. However, in looking at the requests vs responses, the requests outnumber the responses 10 to 1. Thanks a lot for help in this matter.
If you are using a switched architecture, then seeing more requests than responses may be normal. The broadcast that is sent for a request has a destination mac of FF:FF:FF:FF:FF:FF, but the response should contain only the mac of the requesting device. Your switch should filter the replies, but it cannot filter the requests.
pansophic
pansophic
- Thread starter
- #8
I haven't added a bunch of machines recently. The post from pansophic makes perfect sense but the strange thing is that I am mirroring the port from my core switch to my sniffer from the PDC Wins server. I could see where the switches would only show broadcast to the sniffer except for traffic destined to that PDC/Wins box. The arps are probably being responded to by the core router maybe so I don't see both sides of the conversation. Maybe I will just accept this as a high traffic time and is business as usual. Thanks for your help.
- Status
Similar threads
- Locked
- Question
- Locked
- Question