|
There is always a risk in saying something like
that. 20% of arp traffic on a switch port with lots of traffic is
worrysome, but 80% of arp traffic on a switch port where almost no application
data is present is totally normal. Lets go at it another way....
I assume for a moment that all the computers are
XP. Let's see what the maximum amount of arp requests in the broadcast domain
could become. XP flushes idle arp entries after 2 minutes and active arp
entries after 10 minutes. So in theory, if all systems have the nasty habit of
sending each other a packet after 120 seconds so that the entry is already
flushed, then we would have the maximum amount of arp traffic. So, 200
systems arping all 199 other systems every 120 seconds would result in
200*199/120 = ~332 arp requests/second. So anything above that is definitely
something to look in to.
More realistically, lets assume there is a gateway
to the internet and about 10 servers that the 190 clients communicate with
regularly. All servers also communicate with each other and the internet too.
That would result in:
One router arping every 10 minutes for all 200
hosts
Ten servers arping every 10 minutes for all
200 hosts
190 clients arping every 10 minutes for the
router
190 clients arping every 10 minutes for 10
servers
All in all (1*200)+(10*200)+(190*1)+(190*10) = 4290
arp requests in 10 minutes, ie about 7 requests/second.
So basically, understanding the arp protocol
and knowing the timers of your hosts, you can get a ballpark figure to what is a
normal rate of arp traffic for your particular network. Examining the arp
traffic on your network is a good thing to do. Concentrate on one host at first
(filter with arp.src.proto_ipv4 == 192.168.1.46 for example). Then repeat for a
few others. Also look at a non-filtered trace and look at the conversations to
get an idea of who talks to who. And then you can tell whether the arp traffic
on your network is above what you would have expected.
Have fun :-)
Hope this helps,
Cheers,
Sake
----- Original Message -----
Sent: Wednesday, July 22, 2009 5:40
PM
Subject: Re: [Wireshark-users] Why are
there a lot of ARP traffic in anetwork?
What is a lot? Arp
traffic typically shouldnt be more then 20% of a typical capture. Could
always reduce your broadcast domain to cut down on the amount of ARP
traffic
Adam
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Pablo Brozovich
Sent: Wednesday, July 22, 2009 11:23
AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Why are there
a lot of ARP traffic in a network?
There are approximately 200 computers in my work and I
want know the reason why are there a lot of ARP traffic in its
network? _______________________________________________________________
El
mejor servicio de email de clase mundial ahora en México. Conóce
Mail2World.
==============================================================================
This communication, including attachments, is confidential, may be subject to legal privileges, and is intended for the sole use of the addressee. Any use, duplication, disclosure or dissemination of this communication, other than by the addressee, is prohibited. If you have received this communication in error, please notify the sender immediately and delete or destroy this communication and all copies.
___________________________________________________________________________
Sent
via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
| 