High ARP traffic?

[drewp]

Hello, I'm hoping that someone here will be able to answer a question about ARP traffic.

I have been using Wireshark to try and diagnose a slow network and, I seem to have lots of ARP traffic. It's about 40-45% no matter how long the capture runs for -smallest capture is 5 minutes longest is 2 hours.

Should I be seeing this amount of ARP traffic on a network? I have about 250 computers 8 Servers. I have a gigabit switch as a backbone which links up to other 100mbit switches. I have a vanilla Windows 2003 domain with DNS and WINS configured and XP SP2 clients.

Thanks in advance!

[Geoff]

No you should not. There are several reasons for high arp traffic:

1) A badly configured load balancer
2) A network loop
3) Faulty switch/network card/wiring.

[Chris_Jones]

How much is a lot?
is it a hundred or so packets per minute, which probably isnt excessive for a network your size, or several thousand per minute which is excessive.

We noticed this on our network, where over 60% of traffic was ARP but this turned out to be purely because there was so little other broadcast traffic.

[localzuk]

Our network has 200 machines on it and prior to VLANing it the ARP traffic was about 5% maximum...

[drewp]

Thanks for the replies so far! A bit new to packet sniffing, so going to have a few gaps in my knowledge...

Just done a 1 minute capture - 179 packets

89 ARP packets - 49% (84 of them are broadcasted)
61 Intel ANS probe packets - 34%
29 Internet Protocol - 16%

The ARP packets are all from Server IP addresses for Client IP Addresses, so i guess this could be normal

[Geoff]

That doesn't seem unreasonable. If you're still bothered about it, consider using one or more VLANs to segment your network.

[localzuk]

179 packets isn't that bad over a minute.

[drewp]

Thanks for your help on this, I was wondering if that could be slowing the network down.

I don't know that much about VLAN's so will have to do a bit of reading about them. As I understand it at the moment VLAN's will only allow data to pass between the ports configured in the VLAN and not other ports on the Switch. So a really silly question is how would a node in a VLAN communicate to something outside of its VLAN?

[localzuk]

Thanks for your help on this, I was wondering if that could be slowing the network down.

I don't know that much about VLAN's so will have to do a bit of reading about them. As I understand it at the moment VLAN's will only allow data to pass between the ports configured in the VLAN and not other ports on the Switch. So a really silly question is how would a node in a VLAN communicate to something outside of its VLAN?

You would need a router to route traffic between the VLANs. I have an HP 5406zl intelligent switch which does the job.

[dilbertrules]

One reason may be that you are sniffing a switch and that you are not really seeing all the traffic. Make sure you mirror the backbone to your port to see as much of the data as possible. Otherwise you will have lower traffic flow and all the broadcast traffic will seem high.

I sometimes take a look at broadcast traffic without a mirrored port and it is always 20 times higher percentage wise because of the lack of data flow.

In working on my current network position I did find that they had been creating network printers with a direct connect to the ip address and then changing the ips and readding the printers again thus leaving the old ports configured in the pcs. And of course the pcs arp broadcast like crazy looking for the printer port even though it is not in use.

Oh I know this is a very old thread but I wanted to leave this out here for anyone researching arp issues.

[Oops_my_bad]

As I understand it at the moment VLAN's will only allow data to pass between the ports configured in the VLAN and not other ports on the Switch.

That's correct, unless you seriously mis-configure your VLANS. Had this problem in my current job - previous network manager left everything on defaults and default vlan 1 was carrying other vlans!