+ Post New Thread
Results 1 to 5 of 5
Wired Networks Thread, Wireshark - ARP requests for devices outside subnet in Technical; I have had a huntch that something isn't right with my network switching, the activity LEDS are to much in ...
  1. #1

    Join Date
    May 2011
    Location
    York
    Posts
    51
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    7

    Wireshark - ARP requests for devices outside subnet

    I have had a huntch that something isn't right with my network switching, the activity LEDS are to much in unison not behaving like a switch that is routing data (the expect random flashing of activity.) It feels similar to that of a network that is flooded with broadcast traffic, similar to the way Spanning Tree protocol makes switches behave. So I flashed up Wireshark on one of my file server and took a 30second snippet of traffic. The Logs are full of ARP broadcast requests, (address resolution protocols) fairly unusal to see this in an enviroment that has DNS Servers but that ARP requests are all asking for who has 169.254.xxx.xxx address and the network subnet is 172.16.xxx.xxx. And to my knowlage these 169.254 address dont exsit.

    There isn't just afew of these, were talking in the region of 1000 in 30 seconds (we only have 350 devices on the network.) They are all originating from various different devices on the network so isn't a rogue device pouring out all these request.

    Anyone shed any light?? is this normal??

    ARP.png

  2. #2

    Join Date
    Oct 2007
    Location
    Lincolnshire
    Posts
    133
    Thank Post
    0
    Thanked 22 Times in 22 Posts
    Rep Power
    17
    169.254.0.0/16 is the link-local subnet used for automatic IP address allocations (APIPA in microsoft-speak).

    My guess is that some hosts on your 172.16.xx.xx subnet have lost/expired their IP addresses and are unable to get a new one via DHCP for some reason (DHCP server down?). They have switched to automatic address allocation which means they randomly pick an address in the 169.254.0.0/16 range then probe to check whether it's already in use. The probes are the ARP packets you're seeing. RFC 3927 - Dynamic Configuration of IPv4 Link-Local Addresses explains this in detail.

    First port of call: check that you have working DHCP on that subnet.

  3. #3

    Join Date
    May 2011
    Location
    York
    Posts
    51
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    7
    Ive got alittle further with this, if i disable the service "sophos message routing service" the workstation stops broacasting these ARP packets. The problem is all workstations are doing this, incidentially none of them are reporting their status' on the enterprise console.

  4. #4

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,254
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    On a suspect workstation, what is the output of:
    Code:
    ipconfig /all
    What is the output of
    Code:
    tracert FQDN.of.your.Sophos.Server

  5. #5

    Join Date
    May 2011
    Location
    York
    Posts
    51
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    7
    Sorted this, i had to uninstall the enterprise console, manually search registry for left over keys, and search the hard disk for left over files and droping the sophos database from sql (It truely amazed me how much an uninstall left behind)

    Then perform an fresh install and roll out the clients again.

SHARE:
+ Post New Thread

Similar Threads

  1. Request for help in Derbyshire
    By GrumbleDook in forum East Midlands Broadband Consortium (EMBC)
    Replies: 17
    Last Post: 19th June 2007, 07:10 PM
  2. A second request for resources
    By PageZ in forum General Chat
    Replies: 0
    Last Post: 25th April 2007, 02:10 PM
  3. ms access request for help
    By rama1712 in forum Windows
    Replies: 1
    Last Post: 6th October 2006, 01:01 PM
  4. Replies: 5
    Last Post: 5th March 2006, 01:22 PM
  5. Request for file
    By peterday in forum Windows
    Replies: 10
    Last Post: 21st November 2005, 02:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •