Learn to love the arp command’s –s
switch and start entering static arp entries. And while you’re at it, use
static IP addresses and get rid of those pesky DHCP broadcasts. ;-)
Seriously though, it only looks like a lot.
If you were to set up a network monitoring station running something like NTOP,
you’d see that as a percentage of total traffic and bandwidth, the ARP
broadcasts would not be significant. ARP packets are small and are ignored by
every machine unless they’re the machine that needs to respond. Take a
look at the requesting stations. On my network the big ARP broadcasters tend
to be domain controllers, files and print servers, and routers. I wouldn’t
be surprised if that’s what you found. Just about everyone who’s started
using a traffic analyzer has been surprised by the number of broadcasts on
their networks.
From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Pablo Brozovich
Sent: Thursday, July 23, 2009 9:33
AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Why
are there a lot of ARP traffic inanetwork?
I am looking at a 200-second trace with 10,511 packets, in this case
there are 7,720 ARP packets (73.45%). Can I take it easy? What can I do to
reduce those ARP packets in the network's traffic?
<-----Original Message----->
From: Ian Schorr [wireshark-users@xxxxxxxxxxxxx]
Sent: 22/7/2009 6:22:22 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Why are there a lot of ARP traffic
inanetwork?
I've found people (especially those that don't analyze traffic often)
frequently misinterpret traffic volumes during idle periods.
I've had people tell me "it looks like the network is suddenly flooded
with broadcasts", to find that they were simply looking at a capture of a
time where not much was happening.
For example, they might be looking at a 100-second trace where the host they
were monitoring was busy, then relatively idle for a 90 second period, then
busy again. As they browse through a packet list, they'd see that the
first 4,000 packets might be primarily host-specific data, then the next 4,000
primarily ARPs and CDP packets and BPDUs and things, and then host data
again. So "obviously" there's suddenly a period where there are
a "lot" of broadcasts. But they don't notice that the deltas
between each packet has changed, and so even though the packet list suddenly
shifted to being mostly broadcast traffic, the RATE of ARPs and things didn't
change. But psychologically they just don't see it that way - they just
see that suddenly the percentage of broadcast packets is suddenly
different. It's pretty common, partly a result of the way the packet list
is presented. I do it sometimes myself.
All I'm saying is that when you say "a lot of ARP" traffic, is it
really "a lot"? Or do you just see MOSTLY ARP (and maybe other
broadcast) traffic because there's not much else going on the network segment
you're monitoring? How many ARPs do you see per second?
