Re: ARP behaviour

While we are on the subject of ARP

I recently saw in a trace a series of ARP requests directed to a specific MAC address, not the broadcast address, The MAC address was of the owner of the requested IP address which responded with an ARP reply. All I know about the source of the ARP requests is that it had a Cisco MAC address and appears to be a router (multiple IP addresses from different subnets all with this MAC address)

I've never see this before but a little resrarch leads me to understand that some OSes will send this type of ARP before sending a broadcast, if it has an "expired" entry in its ARP cache and it needs the entry updated. What confuses me is that I don't see any subsequent traffic from the source.

The interval between ARP requests is approximately 36 seconds or approximately some multiple of 36 seconds.

Basically I am wondering is anyone knows what the trigger for these packets is. I'm just curious this has nothing to do with why I was doing a trace.

Here is an example of the ARP request

No. Time Source Destination Protocol Info 14462 2006-08-01 17:09:54.652620 ARP Who has Tell

Frame 14462 (64 bytes on wire, 64 bytes captured) Arrival Time: Aug 1, 2006 17:09:54.652620000 Time delta from previous packet: 278.026866000 seconds Time since reference or first frame: 278.026866000 seconds Frame Number: 14462 Packet Length: 64 bytes Capture Length: 64 bytes Ethernet II, Src: 00:0e:d6:22:b8:3c, Dst: 00:00:a8:84:81:73 Destination: 00:00:a8:84:81:73 ( Source: 00:0e:d6:22:b8:3c ( Type: ARP (0x0806) Trailer: 00000000000000000000000000000000... Frame check sequence: 0x1230f4a4 (correct) Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) Sender MAC address: 00:0e:d6:22:b8:3c ( Sender IP address: ( Target MAC address: 00:00:a8:84:81:73 ( Target IP address: (

Hi, > > I would like to ask you which of the following ARP behaviours you would > consider normal and which not: > > 1. a host sends out arp replies without a request send out by any other > host (unsolicited) > 2. a host sends out an arp request, but to a special mac address and > not to the broadcast address > 3. arp packets where the ethernet sender/destination mac does not match > the arp sender/destination mac > > I know that some of such packets are jused by arp poisoning tools, but > which of the three (maybe you know more! please let me know!) are > really _not_ ok and which are (sometimes) being used by normal hosts, > routers, switches, ... anything. > > My DSL router for example sends out unsolicited replies all the time > ... but I would not consider this rfc conform. > > Thanks, > Chris >
Reply to
Noah Davids
Loading thread data ...

I think when you do "clear arp" on a Cisco router, it goes through its current ARP cache and tries to refresh each entry; any that don't succeed are deleted. I've never captured this, and assumed it sent normal broadcast ARP queries, but maybe it actually directs each to the MAC address in its current cache entry, and that's what you were seeing.

Reply to
Barry Margolin

If you really want to find out why this is occuring , then you need to speak to the person who look after the Cisco router/switch.

If you are getting an ARP request every 36 seconds for the same IP address, then this seems a little unusal.

There is a new Cisco iOS feature called ARP-Auto Logoff that might result in this behaviour

Reply to
Merv Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.