Re: ARP Scans

From: ch ganser (chganser_at_gmx.net)
Date: 12/25/03 

Date: Thu, 25 Dec 2003 11:29:20 +0100

thanks neil and michael

but thought the computer should only verify the entries he uses and not
try to verify the hole subnet before even using it. or am i wrong?

we use a private b-network behind a nat/pat bridged over severeal
locations and all ports are switched (the network design is not our
choice). currently only 2750 ips out of the b-network are used by dhcps.
strange is, that some computers try to resolve macs for ips, that have
never be used.

do all os'es behave like neil said? i though if a mac is older than
10min the computer sends a who-has package if he needs to make a
connection. no active behavior.

thanks allot!

christoph

Neil Horman wrote:
> ch ganser wrote:
>
>> Hi
>>
>> In our network, some hosts behave quite strange:
>> They produce between 1000-30000 arp "who-has" packages per day. our
>> gateway and dns-server have only around 500.
>>
>> is there an other explaination than an arp scan (any normal application)?
>>
>> thanks
>>
>> chganser
>>
> Sure, linux by default makes sure that entries in the arp cache are
> good. If you have a large network, with lots of machines on a
> particular network segment (read: reachable via arp), then you will tend
> to have a large arp cache on each linux box. If those machines don't
> produce alot of traffic, or if your network is segmented with switch in
> such a way that the linux boxes don't see that traffic, then they will
> periodically send out arp requests to veryify the entires are still
> good. Its quite easy on a network with a high degree of segmentation
> (via switches) to have a linux box produce the number of arps you
> mention. Theres nothing wrong it. If you feel that its unneeded
> traffic on your network however, its also fairly easy to tune down. In
> /proc/sys/net/ipv4/neigh you will find several directories, 1 for each
> network interface on a system, plus a default (aka "all interfaces")
> directory. In these directories are several files allowing for the
> tuning of arp behavior (if you are unfamiliar with the proc filesystem,
> these are also settable via the sysctl interface). The values in these
> files are documented in section 7 of the arp man page (man 7 arp). Here
> you can do all sorts of things like changing the number of entries
> allowed in the arp table, thresholds before the garbage collector runs,
> times to wait before verifying addresses, etc.
>
> HTH
> Neil
>

Relevant Pages

  • Re: how can i locate a system using the h/w address
    ... Ping the problem IP# to verify that something is actually using it. ... listed in both DNS and WINS and delete those entries. ... > server....as i have a list of all ip addresses used on our> network which is statically setup. ...
    (microsoft.public.win2000.networking)
  • Re: Ping Issue on Windows Server 2003
    ... Further investigation shows that the MAC address entries under ARP -a 10.1.1.80 change between immediately right after the ping and when the server finally answers. ... The offending device was found to be a misconfigured firewall that someone introduced on the network. ...
    (microsoft.public.windows.server.networking)
  • Re: Questions about 192.168
    ... any need for ARP. ... In order for your computer to talk to another computer on the LAN, ... internet, your computer sees that the requested address is not on your ... Folks on your network could be proxying ARP, ...
    (Security-Basics)
  • Re: [2.4 PATCH] bugfix: ARP respond on all devices
    ... >ARP is designed to find the next hop on a LAN. ... If the host has an IP ... >to have a default gateway configured. ... >would anyone know where the packet came from since the network is not ...
    (Linux-Kernel)
  • RE: Ethernet Stopping Problem
    ... Any ideas as to how I would be able to find out more if it was an arp ... network at the time that it died. ... I have a freebsd 5.2 box setup as my gateway ... inet 127.0.0.1 netmask 0xff000000 ...
    (freebsd-questions)