Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: ARP behaviour

Reply
Thread Tools

Re: ARP behaviour

 
 
Noah Davids
Guest
Posts: n/a
 
      08-06-2006
While we are on the subject of ARP

I recently saw in a trace a series of ARP requests directed to a specific
MAC address, not the broadcast address, The MAC address was of the owner of
the requested IP address which responded with an ARP reply. All I know about
the source of the ARP requests is that it had a Cisco MAC address and
appears to be a router (multiple IP addresses from different subnets all
with this MAC address)

I've never see this before but a little resrarch leads me to understand that
some OSes will send this type of ARP before sending a broadcast, if it has
an "expired" entry in its ARP cache and it needs the entry updated. What
confuses me is that I don't see any subsequent traffic from the source.

The interval between ARP requests is approximately 36 seconds or
approximately some multiple of 36 seconds.

Basically I am wondering is anyone knows what the trigger for these packets
is. I'm just curious this has nothing to do with why I was doing a trace.

Here is an example of the ARP request

No. Time Source Destination
Protocol Info
14462 2006-08-01 17:09:54.652620 10.11.12.2 10.11.12.9 ARP
Who has 10.11.12.9? Tell 10.11.12.2

Frame 14462 (64 bytes on wire, 64 bytes captured)
Arrival Time: Aug 1, 2006 17:09:54.652620000
Time delta from previous packet: 278.026866000 seconds
Time since reference or first frame: 278.026866000 seconds
Frame Number: 14462
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:0e:d6:22:b8:3c, Dst: 00:00:a8:84:81:73
Destination: 00:00:a8:84:81:73 (10.11.12.9)
Source: 00:0e:d6:22:b8:3c (10.11.12.2)
Type: ARP (0x0806)
Trailer: 00000000000000000000000000000000...
Frame check sequence: 0x1230f4a4 (correct)
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:0e:d6:22:b8:3c (10.11.12.2)
Sender IP address: 10.11.12.2 (10.11.12.2)
Target MAC address: 00:00:a8:84:81:73 (10.11.12.9)
Target IP address: 10.11.12.9 (10.11.12.9)




<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hi,
>
> I would like to ask you which of the following ARP behaviours you would
> consider normal and which not:
>
> 1. a host sends out arp replies without a request send out by any other
> host (unsolicited)
> 2. a host sends out an arp request, but to a special mac address and
> not to the broadcast address
> 3. arp packets where the ethernet sender/destination mac does not match
> the arp sender/destination mac
>
> I know that some of such packets are jused by arp poisoning tools, but
> which of the three (maybe you know more! please let me know!) are
> really _not_ ok and which are (sometimes) being used by normal hosts,
> routers, switches, ... anything.
>
> My DSL router for example sends out unsolicited replies all the time
> ... but I would not consider this rfc conform.
>
> Thanks,
> Chris
>



 
Reply With Quote
 
 
 
 
Barry Margolin
Guest
Posts: n/a
 
      08-06-2006
In article <98bBg.2293$W01.294@dukeread08>,
"Noah Davids" <(E-Mail Removed)> wrote:

> While we are on the subject of ARP
>
> I recently saw in a trace a series of ARP requests directed to a specific
> MAC address, not the broadcast address, The MAC address was of the owner of
> the requested IP address which responded with an ARP reply. All I know about
> the source of the ARP requests is that it had a Cisco MAC address and
> appears to be a router (multiple IP addresses from different subnets all
> with this MAC address)
>
> I've never see this before but a little resrarch leads me to understand that
> some OSes will send this type of ARP before sending a broadcast, if it has
> an "expired" entry in its ARP cache and it needs the entry updated. What
> confuses me is that I don't see any subsequent traffic from the source.


I think when you do "clear arp" on a Cisco router, it goes through its
current ARP cache and tries to refresh each entry; any that don't
succeed are deleted. I've never captured this, and assumed it sent
normal broadcast ARP queries, but maybe it actually directs each to the
MAC address in its current cache entry, and that's what you were seeing.

--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      08-06-2006

If you really want to find out why this is occuring , then you need to
speak to the person who look after the Cisco router/switch.

If you are getting an ARP request every 36 seconds for the same IP
address, then this seems a little unusal.

There is a new Cisco iOS feature called ARP-Auto Logoff that might
result in this behaviour

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Arp or Proxy Arp Darren Green Cisco 0 02-20-2009 09:38 PM
debugger behaviour different to execution behaviour Andy Chambers Java 1 05-14-2007 09:51 AM
Strange ARP behaviour/storm from IOS 12.3(11)T3 wa6zvp@gmail.com Cisco 0 04-13-2005 02:40 AM
Loss of DNS/ARP responses from Linksys WAG54G nospam Wireless Networking 6 02-15-2005 05:30 PM



Advertisments