info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Ethernet network - Repeated ARP packets for same request
109 views
Skip to first unread message
NY
Jan 7, 2021, 5:58:56 AM1/7/21
to
My wife is scanning our LAN with Wireshark to study different protocol
traffic for a course that she is doing.
We've noticed a lot of ARP traffic "Who has address 1.2.3.4 Tell 2.3.4.5"
from various devices (Windows, Android, network hardware, Alexa nodes etc)
and some of it seems to be repeated queries. Am I right in believing that
normal behaviour for any device on a network is to build its own local ARP
table of IP versus MAC address when it is first turned on, and then to refer
to entries in that local table rather than broadcasting on the LAN for
something which it has already asked and should know.
traffic for a course that she is doing.
We've noticed a lot of ARP traffic "Who has address 1.2.3.4 Tell 2.3.4.5"
from various devices (Windows, Android, network hardware, Alexa nodes etc)
and some of it seems to be repeated queries. Am I right in believing that
normal behaviour for any device on a network is to build its own local ARP
table of IP versus MAC address when it is first turned on, and then to refer
to entries in that local table rather than broadcasting on the LAN for
something which it has already asked and should know.
grinch
Jan 7, 2021, 6:37:29 AM1/7/21
to
our new Samsung TV is switched on ,it Arp's every 5 seconds. With out it
being on the network behaves as you suggest it should.
I don't understand why unless they are saving money on memory in the
devices.Or just bad coding.
I don't have any windows/apple/alexa machines on my network ,so cant
comment on them.
With Cisco kit it is possible to set the arp cache timeout.
I would also be interested if someone has a more intelligent/insightful
answer than mine.
Andy Burns
Jan 7, 2021, 6:53:23 AM1/7/21
to
NY wrote:
> Am I right in believing that normal behaviour for any device on a
> network is to build its own local ARP table of IP versus MAC address
> when it is first turned on, and then to refer to entries in that
> local table
Yes, but entries timeout from ARP caches, also some devices are badly
> Am I right in believing that normal behaviour for any device on a
> network is to build its own local ARP table of IP versus MAC address
> when it is first turned on, and then to refer to entries in that
> local table
behaved and send out a constant stream of gratuitous ARPs even when
nothing is sending them requests.
NY
Jan 7, 2021, 8:38:34 AM1/7/21
to
"Andy Burns" <use...@andyburns.uk> wrote in message
news:i5ob1g...@mid.individual.net...
What is a typical ARP timeout? A few seconds? A few minutes? An hour or so?
My Windows PC ("arp -a") shows that there is an IP-MAC entry for a lot of
computers, including the NAT router for accessing the outside world. And yet
there are ARP requests for entries in that table.
Looking again, I've spotted something else. Not all the ARP requests are
broadcasts. There are cases where one computer sends an ARP to another
computer saying "who has <IP>". Is that normal behaviour "I think you use
this IP. Is that (still) the case?"?
There are some Amazon Alexa devices which send out repeated identical ARPs
every five seconds, and the computer (another Alexa, or the router) with
that IP doesn't respond to say "that's me". There are, in general, a lot of
ARP requests which seem never to get a response. Unless a Wireshark display
filter of "arp" misses some of the responses - but that fact that is lets
through *some* suggests that it should left through *all*.
Not a big issue. There's so much other traffic on the LAN that a few stray
ARPs isn't going to make much difference, and *any* use of Wireshark on a
"live" LAN requires some form of display filter of protocol or
source/destination so you can see the wood for the trees.
news:i5ob1g...@mid.individual.net...
My Windows PC ("arp -a") shows that there is an IP-MAC entry for a lot of
computers, including the NAT router for accessing the outside world. And yet
there are ARP requests for entries in that table.
Looking again, I've spotted something else. Not all the ARP requests are
broadcasts. There are cases where one computer sends an ARP to another
computer saying "who has <IP>". Is that normal behaviour "I think you use
this IP. Is that (still) the case?"?
There are some Amazon Alexa devices which send out repeated identical ARPs
every five seconds, and the computer (another Alexa, or the router) with
that IP doesn't respond to say "that's me". There are, in general, a lot of
ARP requests which seem never to get a response. Unless a Wireshark display
filter of "arp" misses some of the responses - but that fact that is lets
through *some* suggests that it should left through *all*.
Not a big issue. There's so much other traffic on the LAN that a few stray
ARPs isn't going to make much difference, and *any* use of Wireshark on a
"live" LAN requires some form of display filter of protocol or
source/destination so you can see the wood for the trees.
Andy Burns
Jan 7, 2021, 9:02:59 AM1/7/21
to
NY wrote:
> What is a typical ARP timeout? A few seconds? A few minutes? An hour or so?
Windows is 60 seconds.
> What is a typical ARP timeout? A few seconds? A few minutes? An hour or so?
> My Windows PC ("arp -a") shows that there is an IP-MAC entry for a lot
> of computers, including the NAT router for accessing the outside world.
> And yet there are ARP requests for entries in that table.
>
> Looking again, I've spotted something else. Not all the ARP requests are
> broadcasts.
local subnet broadcast addr (e.g. 192.168.x.255) or on not having MAC
addr of all FF?
> There are some Amazon Alexa devices which send out repeated identical
> ARPs every five seconds, and the computer (another Alexa, or the router)
> with that IP doesn't respond to say "that's me". There are, in general,
> a lot of ARP requests which seem never to get a response.
> Unless a
> Wireshark display filter of "arp" misses some of the responses - but
> that fact that is lets through *some* suggests that it should left
> through *all*.
wireless ... But even if plugged into a normal switch it won't see all
traffic e.g. if computer A sends a reply to computer B, then there's no
reason for the switch to even send it to the port that wireshark is
running on.
To see everything you need to be using a switch that supports
port-mirroring, and configure that to send copies of packets to/from
several other ports on the switch.
NY
Jan 7, 2021, 9:58:24 AM1/7/21
to
"Andy Burns" <use...@andyburns.uk> wrote in message
news:i5oikh...@mid.individual.net...
> NY wrote:
>
>> What is a typical ARP timeout? A few seconds? A few minutes? An hour or
>> so?
> Windows is 60 seconds.
>
>> My Windows PC ("arp -a") shows that there is an IP-MAC entry for a lot of
>> computers, including the NAT router for accessing the outside world. And
>> yet there are ARP requests for entries in that table.
>>
>> Looking again, I've spotted something else. Not all the ARP requests are
>> broadcasts.
>
> Are you saying not broadcast based on not having a destination IP of the
> local subnet broadcast addr (e.g. 192.168.x.255) or on not having MAC addr
> of all FF?
Having a destination IP and MAC that correspond with the computer that is
>
>> What is a typical ARP timeout? A few seconds? A few minutes? An hour or
>> so?
> Windows is 60 seconds.
>
>> My Windows PC ("arp -a") shows that there is an IP-MAC entry for a lot of
>> computers, including the NAT router for accessing the outside world. And
>> yet there are ARP requests for entries in that table.
>>
>> Looking again, I've spotted something else. Not all the ARP requests are
>> broadcasts.
>
> Are you saying not broadcast based on not having a destination IP of the
> local subnet broadcast addr (e.g. 192.168.x.255) or on not having MAC addr
> of all FF?
being ARPed, as opposed to a MAC of all Fs. But otherwise looking identical
to an ARP request to an all-Fs broadcast MAC.
>> There are some Amazon Alexa devices which send out repeated identical
>> ARPs every five seconds, and the computer (another Alexa, or the router)
>> with that IP doesn't respond to say "that's me". There are, in general, a
>> lot of ARP requests which seem never to get a response.
>
> Sounds like announcements rather than requests/replies.
immediate response.
>> Unless a Wireshark display filter of "arp" misses some of the responses -
>> but that fact that is lets through *some* suggests that it should left
>> through *all*.
>
> Where is the wireshark listening to? Hopefully wired rather than wireless
> ... But even if plugged into a normal switch it won't see all traffic e.g.
> if computer A sends a reply to computer B, then there's no reason for the
> switch to even send it to the port that wireshark is running on.
switches and mesh wifi nodes have to send broadcasts everywhere (by
definition). But I'll only see ARP responses from computers which are on the
same switch as me. Actually, if the switch (an unmanaged switch) is doing
its job, it should be filtering out *all* traffic except broadcasts and
traffic addressed to my PC (which is running wireshark).
I wonder if different nodes of a Linksys Velop mesh network also filter
traffic (because they each include a network switch) or whether they all
simply repeat traffic from the primary node which is connected to the router
(and, via two Ethernet switches, to my PC). I'm maybe only seeing ARP
responses from Alexas which are connected to the primary node rather than
one of the other nodes around the house.
I'd need to make a list of the "friendly name" by which we know each Alexa
and its MAC address, to work out which ones are connected by wifi to which
node.
0 new messages