none
Getting continous ARP requests from a single PC

    Question

  • Hi Friends,

    in my LAN i have 9 laptops, OS installed on them are:
    2 Windows 7
    1 Windows vista
    rest have XP professional.

    all are getting internet connection and IP address from a SMC router.
    the problem is that i am getting continous ARP request from vista PC, and request for unknown IP address not in my network.

    No.     Time        Source                Destination           Protocol Info
          1 0.000000    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.10?  Tell 172.16.1.105
          2 0.621020    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.222?  Tell 172.16.1.105
          3 0.625947    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.69?  Tell 172.16.1.105
          4 0.626831    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.171?  Tell 172.16.1.105
          5 0.634700    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.19?  Tell 172.16.1.105
          6 0.893075    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.126?  Tell 172.16.1.105
          7 1.394110    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.10?  Tell 172.16.1.105
          8 1.399013    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.222?  Tell 172.16.1.105
          9 1.399779    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.69?  Tell 172.16.1.105
         10 1.402145    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.171?  Tell 172.16.1.105
    Monday, January 04, 2010 10:30 AM

Answers

  • I had a similar issue on a Windows 7 machine and found that it was the (Dell) Advanced Networking Service that was causing the arp requests to be generated.  Ive disabled it and they disappeared.
    I havent seen any problems surface by disabling this.
    Tuesday, February 23, 2010 2:47 AM
  • More than likely you had old network printers , or a printer, that had been configured at IPs that were no longer valid. Deleting the old printers and/or copies of printers will fix it.

    When I discovered a computer on our network doing this I came across this forum, and therefore your post, which gave me the idea to check the guys printer list. Two old copies of the downstairs printer were still there, both with pending prints showing. Checking the ports on each showed the two IP address the machine had been sending out packets for.

     

    I know this is an old post, but.... someone else might come along later with the same problem.

    Tuesday, June 07, 2011 4:43 PM

All replies

  • My guess is that you have some process on that Vista machine that is requesting these addresses.  I would boot in safe mode with networking and see if the requests go away.  If so, you know that it's some process, but since ARP is serviced by the OS, you won't be able to use process tracking to determine the sender.  To narrow this down, you'll have to shut down processes and services to find out where this traffic is coming from.

    Monday, January 04, 2010 2:42 PM
  • I have a similar problem as well.  However, with 5,000 machines and 24 metropolitan locations I can hardly go disabling interfaces one at a time.  Unfortunately, I also enjoy a public schools budget for instrumentation...

    The scenario is as follows:  A segment (30 main ip segments) starts to get multiple, repeating patterns of arp requests.  All requests originate from the router MAC address.  On bad days, several score of requests will burst out every few seconds over several segments.  Ugly.  Again, hundreds of request bursts for maybe twenty individual ip addresses, over and over and over.  No replies.

    From first post above "unknown address not in my network".   The addresses I am sniffing  (Who is w.x.y.z?), are addresses on segment, but are turned off existing machines.  Each site has at least 150 XP boxes, some three times that.  By the router address, I must assume the requests are coming from off-segment.  Which one?  Lengthy troubleshooting processes come to mind.

    A global "clear arp" command on the router causes a brief period of calm, but the requests soon re-start in frequency, not an unexpected pattern if this is originating from a workstation/server.

    Wild card #2:  Blade VM-Ware server farms.  Makes for an interesting challenge to "catch" arp requests over a 10Gb multi-vlan pipe.  I also use the good, but freeware (did I mention K-12?), Wireshark.

    I'd be quite interested, quite, should an XP or Vista process end up being the culprit.  I can kill processes remotely, and eliminate their re-plaguing of the net.  So, my questions of the original poster would also revolve around process, and culprit OS. 

    Of course, it could be a Microsoft set-up thing, or a "this behavior is by design" OS pattern, a favorite phrase used in MS docs when things don't seem --- intuitive --- to some of us.

    Or, these two ARP symptoms could be entirely unrelated.

    Next efforts:  Start up one of the targeted ip address hosts and trace carefully who hits it during/after the boot/login processes.
          Sniff each segment looking for the requester.
          Wireshark every DC and/or server, blade or not, for arp requests.  Note, Wireshark does extract a rather large pound of cpu flesh on some already-stressed servers.
         Play some more with the Foundry RX8's packet and arp debugging offerings.
         Play some more with SFLOW to get at least some isolation of ARP requests/segment where I have that capability.
         Retire five years early...


    Keep me informed.  Should I stumble across the answer, I'll get back.


    Saturday, January 23, 2010 7:04 PM
  • I had a similar issue on a Windows 7 machine and found that it was the (Dell) Advanced Networking Service that was causing the arp requests to be generated.  Ive disabled it and they disappeared.
    I havent seen any problems surface by disabling this.
    Tuesday, February 23, 2010 2:47 AM
  • Dude, I love you.  I've got a Dell machine here that was flooding the LAN with ARP requests continually.  Download speeds on this machine were intolerable, and it was impacting everyone else as well.  You've just saved me from throwing this thing out the window.  As soon as I disabled it the ARP flood disappeared and suddenly instead of getting download speeds of 12kb a second I'm up at full speed.  You rock!
    Friday, March 05, 2010 1:10 PM
  • I had a similar issue on a Windows 7 machine and found that it was the (Dell) Advanced Networking Service that was causing the arp requests to be generated.  Ive disabled it and they disappeared.
    I havent seen any problems surface by disabling this.

    Ok, me too, but how do I disable " (Dell) Advanced Networking Service"  ???

    Subnet Calculator / Planner      Serial Port
    Thursday, July 01, 2010 12:50 PM
  • Usually services will show up in Service Manager.  Perhaps you can find the service there and stop it.  You might also consider coantacting Dell directly as they should have the information about that service and perhaps help you stop or resolve this issue.

    One way to access service manager is right click on My Computer in the Start menu and choose "Manage".  There should be a Services item on the left side.

    Paul

    Thursday, July 01, 2010 2:30 PM
  • My bad.  I looked at the running services and there is not a (Dell) Advanced Networking Service, Advanced Networking Service, or anything else like it.

    Subnet Calculator / Planner      Serial Port
    Friday, July 02, 2010 10:48 AM
  • Do you have a Dell machine?  Perhaps you problem is slightly different and there is a similar service creating the same kind of traffic.  I suppose you could just look for services that aren't MS and stop them.  But I would contact your computer manufacture for more support as I'm probably not the best person to help you.
    Friday, July 02, 2010 2:25 PM
  • Yes, it is Dell.

    Subnet Calculator / Planner      Serial Port
    Friday, July 02, 2010 2:31 PM
  • I just noticed this happening on my computer.  I had to manually disable services.  The problem was related to the Print Spooler.  When I disabled that it stopped sending all the massive ARP requests.  I dont know exactly why but the print spooler was causing it.
    Monday, October 18, 2010 7:20 PM
  • how did you disable it?
    Thursday, January 13, 2011 8:59 PM
  • More than likely you had old network printers , or a printer, that had been configured at IPs that were no longer valid. Deleting the old printers and/or copies of printers will fix it.

    When I discovered a computer on our network doing this I came across this forum, and therefore your post, which gave me the idea to check the guys printer list. Two old copies of the downstairs printer were still there, both with pending prints showing. Checking the ports on each showed the two IP address the machine had been sending out packets for.

     

    I know this is an old post, but.... someone else might come along later with the same problem.

    Tuesday, June 07, 2011 4:43 PM
  • I know this is old, but to answer your question You can click start/run (xp) and type services.msc, find print spooler in the list, and right click , go to properties and from there you can start/stop/change starup type or enable/disable.

    On vista and win 7 you just type it in the box after you click the "start" button. However if you do have a problem wtih the print spooler sending out these requests, see my reply to the post above yours. You probably just need to delete network printers that no longer exist in your environment, or have changed IP addresses and the old (now misconfigured) copies of the printer are still on the computer... especially if these have pending print jobs that never printed due to not being able to find the printer.... Windows is still looking for those printers,, hence the arp requests.

    Tuesday, June 07, 2011 4:55 PM
  • Hello ,

    I had similar issue with windows 7 machine.But when i reboot the machine in safe mode with networking i dont see any ARP request coming in.

    I guess this is due to some 3rd party service which may be causing this issue.

    Its not a dell machine.

     

    Thanks
    Rajesh

    Tuesday, June 21, 2011 9:18 AM
  • Yes, that is more than likely the case.

    Paul

    Tuesday, June 21, 2011 9:38 PM
  • I had a similar issue with computers sending ARP requests for IP addresses that are no longer being used. I looked at some old logs and the IP addresses were for some old printers that we had on the network.

    The only problem was when I went to one of the computers that was sending the ARP requests, the old printers were not shown as installed under Printers.

    I started looking at some of the printers that were installed and when I reviewed the PORT settings I saw that there were some TCP/IP PORTs set up for the old printers. The old TCP/IP printer ports were not being used by any printer, but the computer was still sending ARP requests for those IP addresses.

    The other ARP requests on my network that are an issue, is related to managed software. The client software is looking for an old server to send it's status to, but the old server isn't running any more. I have to reconfigure the clients.

    Wednesday, August 10, 2011 3:38 PM
  • Accessing some NetGear routers (WNDR4500 and others) with a browser will install an application on your computer called Desktop NetGear Genie. This application will cause non-stop ARP requests from the computer on which Genie is installed - in my case, a Windows 7 Pro workstation. Exiting the application in the system tray caused the ARP requests to cease.

    Tuesday, August 07, 2012 2:39 PM
  • Thanks, we deleted the old printers from our print server but ARP's were still being broadcast.  Didnt even think about deleting the printer ports as they were no longer attached to anything.  As soon as we deleted these old TCP/IP Printer Ports from the print server the ARP's imediately downsized.  Didn't even have to restart the spooler.  Greatly appreciated.
    Wednesday, May 01, 2013 2:32 AM
  • I know this is a really old post but I had a similar issue on an old Windows Vista Premium laptop and I thought I would share my solution because it was simple to try and might help others like me still nursing old machines.  In my case I was using wireshark to monitor the traffic on my home LAN and noticed the extensive ARP broadcasts originating from the Vista laptop.  I did not seem to have any old printers as some others have noted.  In my case it appeared to correlate to the Media sharing.

    Go into Control Panel > Network and Sharing Center.  Under the "Sharing and Discovery" section, see if "Media Sharing" is On.  If so, (and you don't desire the sharing of media files across computers and devices) turn it off.

    This simple change made an immediate reduction in the ARP packets seen in wireshark originating from the Vista Premium laptop.

    I also found one of my other XP machines was also causing extensive ARP traffic and in this case, I found it was related to a Canon Inkjet scanner/printer utility.  If I stopped that process, the ARP traffic went away.  Since I can start the utility when I want to use the scanner or printer, I did not have any negative effects from not automatically starting this process at startup.  The lesson here I guess is always start the fewest processes possible at startup.

    • Edited by tallt57 Tuesday, November 05, 2013 12:25 PM additional info
    Tuesday, November 05, 2013 12:06 PM
  • I'm having the same problem with my Wife's laptop - It's a Gateway (Acer) from around 2009 - It originally had Vista on-board, but we were sent a disc to upgrade to Win 7 when it was released, so that's what it has now.

    It's basically doing exactly what the computer in the first post was doing (except the IPs are different, obviously) - The packets from it that are detected in Wireshark are also prefixed with HonHaiPr_ - same as the original poster - which makes me think there may be some connection there..

    I hadn't actually noticed my home network slowing down, but I just started using Wireshark (as I'm doing a Network Systems Admin course and we've been learning about it in our classes) and the number of ARP requests I've noticed it putting out seems quite excessive.

    I've read back through this thread and I've tried turning off network sharing and shutting down the print spooler, but that doesn't seem to have affected it.  I looked for updated drivers for the Wireless NIC as well, but the ones installed are from Feb 2013, and Windows says that they're the latest ones.

    Any ideas?

    Monday, December 02, 2013 1:32 AM
  • Thanks for the tip, I had the same problem here.

    My home server was broadcasting ARP requests and flooded my network (monitored network traffic with Wireshark). I looked at the printers on my home server and I found some old printers.

    I disabled the print spooler and the ARP broadcasts disappeared. Now I got to find out how to remove the old printers because I couldn't remove them (Access denied).

    Tuesday, June 17, 2014 2:37 PM