no arp replys

Discussion in 'Cisco' started by michael, May 10, 2004.

  1. michael

    michael Guest

    Hello
    I'm having a situation concerning Arp where i am seeing no Arp
    reply's to many arp requests on my network when i evaluate with a
    protocol analyzer. I think the arp traffic may be at a level where it
    is disrupting traffic on the network and nodes are dropping off as a
    result. It is a microsoft 2000/xp network running active directory.
    The sniffs show alot of whois arp traffic and i see little or no arp
    reply's with the mac address. I'm wondering what this could be due
    too. It is a flat network with 175 nodes running a class b subnet.
    Wins and Dns are configured. The workstation nodes are mixed
    win2k/xp(majority being 2k), The servers are win2k. Is this high
    amount of arp traffic(between 60 to 90 percent at a server)normal and
    if not what could i do to facilitate the arp reply's. Thanks
     
    michael, May 10, 2004
    #1
    1. Advertisements

  2. michael

    mh Guest

    That level of ARP traffic does not sound normal.

    If you have a trace, then look at the device(s) that are transmitting
    the ARPs.
    You will need to get their source MAC address from the trace and then
    track them down. If you are using an Ethernet switch, then you should
    be able to display the layer 2 forwarding table and find out what port
    the device is attached to.

    The device if a Windows PC could have a virus that is scanning your
    network looking for other PCs to attack.

    I have also seen an HP print driver bug that scanned an entire class A
    network which resulted in 90% of network traffic being ARPs.
     
    mh, May 10, 2004
    #2
    1. Advertisements

  3. michael

    Patrick Guest

    How is your protocol analyzer connected to the network? If you're on a
    switch, it would be logical that you don't see ARP reply's.

    The ARP requests are in the fowm of a broadcast, so sent to every
    port. However, the reply is sent as an unicast to the host which made
    the ARP request.

    Unless you configured a SPAN por, you won't see this traffic on a
    switched network. This would also explain why you see such a high
    percentage of ARP requests: the unicast traffic isn't captured by your
    protocol analyzer.


    With kind regards,

    Patrick
     
    Patrick, May 10, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.