Re: ARP behaviour

Discussion in 'Cisco' started by Noah Davids, Aug 6, 2006.

  1. Noah Davids

    Noah Davids Guest

    While we are on the subject of ARP

    I recently saw in a trace a series of ARP requests directed to a specific
    MAC address, not the broadcast address, The MAC address was of the owner of
    the requested IP address which responded with an ARP reply. All I know about
    the source of the ARP requests is that it had a Cisco MAC address and
    appears to be a router (multiple IP addresses from different subnets all
    with this MAC address)

    I've never see this before but a little resrarch leads me to understand that
    some OSes will send this type of ARP before sending a broadcast, if it has
    an "expired" entry in its ARP cache and it needs the entry updated. What
    confuses me is that I don't see any subsequent traffic from the source.

    The interval between ARP requests is approximately 36 seconds or
    approximately some multiple of 36 seconds.

    Basically I am wondering is anyone knows what the trigger for these packets
    is. I'm just curious this has nothing to do with why I was doing a trace.

    Here is an example of the ARP request

    No. Time Source Destination
    Protocol Info
    14462 2006-08-01 17:09:54.652620 10.11.12.2 10.11.12.9 ARP
    Who has 10.11.12.9? Tell 10.11.12.2

    Frame 14462 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Aug 1, 2006 17:09:54.652620000
    Time delta from previous packet: 278.026866000 seconds
    Time since reference or first frame: 278.026866000 seconds
    Frame Number: 14462
    Packet Length: 64 bytes
    Capture Length: 64 bytes
    Ethernet II, Src: 00:0e:d6:22:b8:3c, Dst: 00:00:a8:84:81:73
    Destination: 00:00:a8:84:81:73 (10.11.12.9)
    Source: 00:0e:d6:22:b8:3c (10.11.12.2)
    Type: ARP (0x0806)
    Trailer: 00000000000000000000000000000000...
    Frame check sequence: 0x1230f4a4 (correct)
    Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: 00:0e:d6:22:b8:3c (10.11.12.2)
    Sender IP address: 10.11.12.2 (10.11.12.2)
    Target MAC address: 00:00:a8:84:81:73 (10.11.12.9)
    Target IP address: 10.11.12.9 (10.11.12.9)




    <> wrote in message
    news:...
    > Hi,
    >
    > I would like to ask you which of the following ARP behaviours you would
    > consider normal and which not:
    >
    > 1. a host sends out arp replies without a request send out by any other
    > host (unsolicited)
    > 2. a host sends out an arp request, but to a special mac address and
    > not to the broadcast address
    > 3. arp packets where the ethernet sender/destination mac does not match
    > the arp sender/destination mac
    >
    > I know that some of such packets are jused by arp poisoning tools, but
    > which of the three (maybe you know more! please let me know!) are
    > really _not_ ok and which are (sometimes) being used by normal hosts,
    > routers, switches, ... anything.
    >
    > My DSL router for example sends out unsolicited replies all the time
    > ... but I would not consider this rfc conform.
    >
    > Thanks,
    > Chris
    >
     
    Noah Davids, Aug 6, 2006
    #1
    1. Advertising

  2. In article <98bBg.2293$W01.294@dukeread08>,
    "Noah Davids" <> wrote:

    > While we are on the subject of ARP
    >
    > I recently saw in a trace a series of ARP requests directed to a specific
    > MAC address, not the broadcast address, The MAC address was of the owner of
    > the requested IP address which responded with an ARP reply. All I know about
    > the source of the ARP requests is that it had a Cisco MAC address and
    > appears to be a router (multiple IP addresses from different subnets all
    > with this MAC address)
    >
    > I've never see this before but a little resrarch leads me to understand that
    > some OSes will send this type of ARP before sending a broadcast, if it has
    > an "expired" entry in its ARP cache and it needs the entry updated. What
    > confuses me is that I don't see any subsequent traffic from the source.


    I think when you do "clear arp" on a Cisco router, it goes through its
    current ARP cache and tries to refresh each entry; any that don't
    succeed are deleted. I've never captured this, and assumed it sent
    normal broadcast ARP queries, but maybe it actually directs each to the
    MAC address in its current cache entry, and that's what you were seeing.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Aug 6, 2006
    #2
    1. Advertising

  3. Noah Davids

    Merv Guest

    If you really want to find out why this is occuring , then you need to
    speak to the person who look after the Cisco router/switch.

    If you are getting an ARP request every 36 seconds for the same IP
    address, then this seems a little unusal.

    There is a new Cisco iOS feature called ARP-Auto Logoff that might
    result in this behaviour
     
    Merv, Aug 6, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Falcon

    Strange taskbar behaviour (notification area)

    Falcon, Aug 17, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    736
    Falcon
    Aug 17, 2004
  2. Griffure
    Replies:
    0
    Views:
    908
    Griffure
    Aug 11, 2003
  3. joost68
    Replies:
    5
    Views:
    467
  4. Replies:
    0
    Views:
    518
  5. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    574
    Darren Green
    Feb 20, 2009
Loading...

Share This Page