I know this topic has been discussed before but I would like to clarify a few things for anyone out there who knows something about ARP broadcasts and cable modems.
I believe I have noticed an increase of ARP chatter on my cable modem, I noticed this the other night when I accidentally locked the cat out, I reach over to open the window and noticed a steady flicker on the back of my server, thinking this was an attack I quickly started capturing packets and noticed it was a constant flow of ARP incoming traffic, much of it repetitive data. After doing some research and communicating with my ISP tech support I understand it is normal but how much is normal, and why have I never noticed this steady traffic before?
The traffic is a lowly 1.4KB but seems to have increased over the last few months. Any information would be helpful.
RFC826 describes ARP. Briefly, ARP is used to translate between the IP addresses used by computers with the hardware level protocols used on the cable media. When a system wishes to talk to another, it first sends an ARP request - a broadcast asking what's the hardware address of IP
12.34.56.78 or whatever. That hosts responds and says "I'm here". Both systems then remember the hardware addresses for some time - RFC1122 section 2.3.2 suggests a timeout of _about_ one minute.
What you are _PROBABLY_ seeing is the result of windoze worms trying to spread. Many worms try to spread to every host address. To do so, they want to know the hardware address associated with each IP. If the host that is trying to spread the infection is local (on your wire), you'll see it sending the ARP requests. If the hosts is remote, then it will be your gateway router doing the asking. How much of this traffic is generated is dependent on how large the local network is (you can determine this by looking at the network configuration data on the cable modem, or by just looking at the range of addresses you see). A typical range might be 128, 256 (quite common), 512, 1024 or rarely 2048.
Each packet is only 28 bytes (42 if you include the Ethernet header) plus any padding needed to bring it up to the minimum required at the wire level (on Ethernet, this would add 18 bytes for a total of 60 bytes), so even if you assume seeing only data (28 bytes), 1.4 KB/Sec is 50 ARP packets (most cable modems only let you see all broadcasts and only those unicasts directed at you, so you are unlikely to see the 50 ARP _requests_ AND 50 _replies_ if the queried host is up), which really isn't anything important. Assuming a continuous chatter, 50 per second times 60 seconds that an ARP should "last" says about 300 hosts on the wire. In the rare 'worst case' of 2048 hosts on a local segment (ex. 12.34.0.0 to 12.34.7.255), the traffic should _average_ no more than 9.5 KB/Sec. Doubling this for the unseen replies is still a drop in the bucket.
I did too, on my old cable modem. Comcast had me install the new DOCSIS Motorola SURFboard sb4220 cable modem. Activity light is just blinking away and is usless to gauge what is going on. Getting constantant arp requests just like the OP indicated.
That must be it, I just changed to the new Motorola brand modem too. I've upgraded to Shaw's "extreme" package and I think this might have something to do with it.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.