Wired Networks Thread, Wireshark - ARP requests for devices outside subnet in Technical; I have had a huntch that something isn't right with my network switching, the activity LEDS are to much in ...
11th October 2012, 03:16 PM #1
- Rep Power
Wireshark - ARP requests for devices outside subnet
I have had a huntch that something isn't right with my network switching, the activity LEDS are to much in unison not behaving like a switch that is routing data (the expect random flashing of activity.) It feels similar to that of a network that is flooded with broadcast traffic, similar to the way Spanning Tree protocol makes switches behave. So I flashed up Wireshark on one of my file server and took a 30second snippet of traffic. The Logs are full of ARP broadcast requests, (address resolution protocols) fairly unusal to see this in an enviroment that has DNS Servers but that ARP requests are all asking for who has 169.254.xxx.xxx address and the network subnet is 172.16.xxx.xxx. And to my knowlage these 169.254 address dont exsit.
There isn't just afew of these, were talking in the region of 1000 in 30 seconds (we only have 350 devices on the network.) They are all originating from various different devices on the network so isn't a rogue device pouring out all these request.
Anyone shed any light?? is this normal??
IDG Tech News
11th October 2012, 10:05 PM #2
169.254.0.0/16 is the link-local subnet used for automatic IP address allocations (APIPA in microsoft-speak).
My guess is that some hosts on your 172.16.xx.xx subnet have lost/expired their IP addresses and are unable to get a new one via DHCP for some reason (DHCP server down?). They have switched to automatic address allocation which means they randomly pick an address in the 169.254.0.0/16 range then probe to check whether it's already in use. The probes are the ARP packets you're seeing. RFC 3927 - Dynamic Configuration of IPv4 Link-Local Addresses explains this in detail.
First port of call: check that you have working DHCP on that subnet.
12th October 2012, 09:55 AM #3
- Rep Power
Ive got alittle further with this, if i disable the service "sophos message routing service" the workstation stops broacasting these ARP packets. The problem is all workstations are doing this, incidentially none of them are reporting their status' on the enterprise console.
12th October 2012, 01:21 PM #4
On a suspect workstation, what is the output of:
What is the output of
15th October 2012, 02:20 PM #5
- Rep Power
Sorted this, i had to uninstall the enterprise console, manually search registry for left over keys, and search the hard disk for left over files and droping the sophos database from sql (It truely amazed me how much an uninstall left behind)
Then perform an fresh install and roll out the clients again.
By GrumbleDook in forum East Midlands Broadband Consortium (EMBC)
Last Post: 19th June 2007, 08:10 PM
By PageZ in forum General Chat
Last Post: 25th April 2007, 03:10 PM
By rama1712 in forum Windows
Last Post: 6th October 2006, 02:01 PM
By arctan in forum Scripts
Last Post: 5th March 2006, 02:22 PM
By peterday in forum Windows
Last Post: 21st November 2005, 03:13 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)