Wireshark - ARP requests for devices outside subnet
I have had a huntch that something isn't right with my network switching, the activity LEDS are to much in unison not behaving like a switch that is routing data (the expect random flashing of activity.) It feels similar to that of a network that is flooded with broadcast traffic, similar to the way Spanning Tree protocol makes switches behave. So I flashed up Wireshark on one of my file server and took a 30second snippet of traffic. The Logs are full of ARP broadcast requests, (address resolution protocols) fairly unusal to see this in an enviroment that has DNS Servers but that ARP requests are all asking for who has 169.254.xxx.xxx address and the network subnet is 172.16.xxx.xxx. And to my knowlage these 169.254 address dont exsit.
There isn't just afew of these, were talking in the region of 1000 in 30 seconds (we only have 350 devices on the network.) They are all originating from various different devices on the network so isn't a rogue device pouring out all these request.
169.254.0.0/16 is the link-local subnet used for automatic IP address allocations (APIPA in microsoft-speak).
My guess is that some hosts on your 172.16.xx.xx subnet have lost/expired their IP addresses and are unable to get a new one via DHCP for some reason (DHCP server down?). They have switched to automatic address allocation which means they randomly pick an address in the 169.254.0.0/16 range then probe to check whether it's already in use. The probes are the ARP packets you're seeing. RFC 3927 - Dynamic Configuration of IPv4 Link-Local Addresses explains this in detail.
First port of call: check that you have working DHCP on that subnet.
Ive got alittle further with this, if i disable the service "sophos message routing service" the workstation stops broacasting these ARP packets. The problem is all workstations are doing this, incidentially none of them are reporting their status' on the enterprise console.
Sorted this, i had to uninstall the enterprise console, manually search registry for left over keys, and search the hard disk for left over files and droping the sophos database from sql (It truely amazed me how much an uninstall left behind)
Then perform an fresh install and roll out the clients again.