While we are on the subject of ARP
I recently saw in a trace a series of ARP requests directed to a specific MAC address, not the broadcast address, The MAC address was of the owner of the requested IP address which responded with an ARP reply. All I know about the source of the ARP requests is that it had a Cisco MAC address and appears to be a router (multiple IP addresses from different subnets all with this MAC address)
I've never see this before but a little resrarch leads me to understand that some OSes will send this type of ARP before sending a broadcast, if it has an "expired" entry in its ARP cache and it needs the entry updated. What confuses me is that I don't see any subsequent traffic from the source.
The interval between ARP requests is approximately 36 seconds or approximately some multiple of 36 seconds.
Basically I am wondering is anyone knows what the trigger for these packets is. I'm just curious this has nothing to do with why I was doing a trace.
Here is an example of the ARP request
No. Time Source Destination Protocol Info 14462 2006-08-01 17:09:54.652620 10.11.12.2 10.11.12.9 ARP Who has 10.11.12.9? Tell 10.11.12.2
Frame 14462 (64 bytes on wire, 64 bytes captured) Arrival Time: Aug 1, 2006 17:09:54.652620000 Time delta from previous packet: 278.026866000 seconds Time since reference or first frame: 278.026866000 seconds Frame Number: 14462 Packet Length: 64 bytes Capture Length: 64 bytes Ethernet II, Src: 00:0e:d6:22:b8:3c, Dst: 00:00:a8:84:81:73 Destination: 00:00:a8:84:81:73 (10.11.12.9) Source: 00:0e:d6:22:b8:3c (10.11.12.2) Type: ARP (0x0806) Trailer: 00000000000000000000000000000000... Frame check sequence: 0x1230f4a4 (correct) Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) Sender MAC address: 00:0e:d6:22:b8:3c (10.11.12.2) Sender IP address: 10.11.12.2 (10.11.12.2) Target MAC address: 00:00:a8:84:81:73 (10.11.12.9) Target IP address: 10.11.12.9 (10.11.12.9)