Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
Getting continous ARP requests from a single PC

Answered Getting continous ARP requests from a single PC

  • Monday, January 04, 2010 10:30 AM
     
     
    Sign In to Vote
    0
    Hi Friends,

    in my LAN i have 9 laptops, OS installed on them are:
    2 Windows 7
    1 Windows vista
    rest have XP professional.

    all are getting internet connection and IP address from a SMC router.
    the problem is that i am getting continous ARP request from vista PC, and request for unknown IP address not in my network.

    No.     Time        Source                Destination           Protocol Info
          1 0.000000    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.10?  Tell 172.16.1.105
          2 0.621020    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.222?  Tell 172.16.1.105
          3 0.625947    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.69?  Tell 172.16.1.105
          4 0.626831    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.171?  Tell 172.16.1.105
          5 0.634700    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.19?  Tell 172.16.1.105
          6 0.893075    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.126?  Tell 172.16.1.105
          7 1.394110    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.10?  Tell 172.16.1.105
          8 1.399013    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.222?  Tell 172.16.1.105
          9 1.399779    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.69?  Tell 172.16.1.105
         10 1.402145    HonHaiPr_30:6d:7c     Broadcast             ARP      Who has 172.16.1.171?  Tell 172.16.1.105
     

All Replies

  • Monday, January 04, 2010 2:42 PM
    Owner
     
     
    Sign In to Vote
    0

    My guess is that you have some process on that Vista machine that is requesting these addresses.  I would boot in safe mode with networking and see if the requests go away.  If so, you know that it's some process, but since ARP is serviced by the OS, you won't be able to use process tracking to determine the sender.  To narrow this down, you'll have to shut down processes and services to find out where this traffic is coming from.

     
  • Saturday, January 23, 2010 7:04 PM
     
     
    Sign In to Vote
    0
    I have a similar problem as well.  However, with 5,000 machines and 24 metropolitan locations I can hardly go disabling interfaces one at a time.  Unfortunately, I also enjoy a public schools budget for instrumentation...

    The scenario is as follows:  A segment (30 main ip segments) starts to get multiple, repeating patterns of arp requests.  All requests originate from the router MAC address.  On bad days, several score of requests will burst out every few seconds over several segments.  Ugly.  Again, hundreds of request bursts for maybe twenty individual ip addresses, over and over and over.  No replies.

    From first post above "unknown address not in my network".   The addresses I am sniffing  (Who is w.x.y.z?), are addresses on segment, but are turned off existing machines.  Each site has at least 150 XP boxes, some three times that.  By the router address, I must assume the requests are coming from off-segment.  Which one?  Lengthy troubleshooting processes come to mind.

    A global "clear arp" command on the router causes a brief period of calm, but the requests soon re-start in frequency, not an unexpected pattern if this is originating from a workstation/server.

    Wild card #2:  Blade VM-Ware server farms.  Makes for an interesting challenge to "catch" arp requests over a 10Gb multi-vlan pipe.  I also use the good, but freeware (did I mention K-12?), Wireshark.

    I'd be quite interested, quite, should an XP or Vista process end up being the culprit.  I can kill processes remotely, and eliminate their re-plaguing of the net.  So, my questions of the original poster would also revolve around process, and culprit OS. 

    Of course, it could be a Microsoft set-up thing, or a "this behavior is by design" OS pattern, a favorite phrase used in MS docs when things don't seem --- intuitive --- to some of us.

    Or, these two ARP symptoms could be entirely unrelated.

    Next efforts:  Start up one of the targeted ip address hosts and trace carefully who hits it during/after the boot/login processes.
          Sniff each segment looking for the requester.
          Wireshark every DC and/or server, blade or not, for arp requests.  Note, Wireshark does extract a rather large pound of cpu flesh on some already-stressed servers.
         Play some more with the Foundry RX8's packet and arp debugging offerings.
         Play some more with SFLOW to get at least some isolation of ARP requests/segment where I have that capability.
         Retire five years early...


    Keep me informed.  Should I stumble across the answer, I'll get back.


     
  • Tuesday, February 23, 2010 2:47 AM
     
     Answered
    Sign In to Vote
    1
    I had a similar issue on a Windows 7 machine and found that it was the (Dell) Advanced Networking Service that was causing the arp requests to be generated.  Ive disabled it and they disappeared.
    I havent seen any problems surface by disabling this.
     
  • Friday, March 05, 2010 1:10 PM
     
     
    Sign In to Vote
    0
    Dude, I love you.  I've got a Dell machine here that was flooding the LAN with ARP requests continually.  Download speeds on this machine were intolerable, and it was impacting everyone else as well.  You've just saved me from throwing this thing out the window.  As soon as I disabled it the ARP flood disappeared and suddenly instead of getting download speeds of 12kb a second I'm up at full speed.  You rock!
     
  • Thursday, July 01, 2010 12:50 PM
     
     
    Sign In to Vote
    0
    I had a similar issue on a Windows 7 machine and found that it was the (Dell) Advanced Networking Service that was causing the arp requests to be generated.  Ive disabled it and they disappeared.
    I havent seen any problems surface by disabling this.

    Ok, me too, but how do I disable " (Dell) Advanced Networking Service"  ???
    Subnet Calculator / Planner      Serial Port
     
  • Thursday, July 01, 2010 2:30 PM
    Owner
     
     
    Sign In to Vote
    0

    Usually services will show up in Service Manager.  Perhaps you can find the service there and stop it.  You might also consider coantacting Dell directly as they should have the information about that service and perhaps help you stop or resolve this issue.

    One way to access service manager is right click on My Computer in the Start menu and choose "Manage".  There should be a Services item on the left side.

    Paul

     
  • Friday, July 02, 2010 10:48 AM
     
     
    Sign In to Vote
    0
    My bad.  I looked at the running services and there is not a (Dell) Advanced Networking Service, Advanced Networking Service, or anything else like it.
    Subnet Calculator / Planner      Serial Port
     
  • Friday, July 02, 2010 2:25 PM
    Owner
     
     
    Sign In to Vote
    0
    Do you have a Dell machine?  Perhaps you problem is slightly different and there is a similar service creating the same kind of traffic.  I suppose you could just look for services that aren't MS and stop them.  But I would contact your computer manufacture for more support as I'm probably not the best person to help you.
     
  • Friday, July 02, 2010 2:31 PM
     
     
    Sign In to Vote
    0
    Yes, it is Dell.
    Subnet Calculator / Planner      Serial Port
     
  • Monday, October 18, 2010 7:20 PM
     
     
    Sign In to Vote
    0
    I just noticed this happening on my computer.  I had to manually disable services.  The problem was related to the Print Spooler.  When I disabled that it stopped sending all the massive ARP requests.  I dont know exactly why but the print spooler was causing it.
     
  • Thursday, January 13, 2011 8:59 PM
     
     
    Sign In to Vote
    0
    how did you disable it?
     
  • Tuesday, June 07, 2011 4:43 PM
     
     Answered
    Sign In to Vote
    0

    More than likely you had old network printers , or a printer, that had been configured at IPs that were no longer valid. Deleting the old printers and/or copies of printers will fix it.

    When I discovered a computer on our network doing this I came across this forum, and therefore your post, which gave me the idea to check the guys printer list. Two old copies of the downstairs printer were still there, both with pending prints showing. Checking the ports on each showed the two IP address the machine had been sending out packets for.

     

    I know this is an old post, but.... someone else might come along later with the same problem.

     
  • Tuesday, June 07, 2011 4:55 PM
     
     
    Sign In to Vote
    0

    I know this is old, but to answer your question You can click start/run (xp) and type services.msc, find print spooler in the list, and right click , go to properties and from there you can start/stop/change starup type or enable/disable.

    On vista and win 7 you just type it in the box after you click the "start" button. However if you do have a problem wtih the print spooler sending out these requests, see my reply to the post above yours. You probably just need to delete network printers that no longer exist in your environment, or have changed IP addresses and the old (now misconfigured) copies of the printer are still on the computer... especially if these have pending print jobs that never printed due to not being able to find the printer.... Windows is still looking for those printers,, hence the arp requests.

     
  • Tuesday, June 21, 2011 9:18 AM
     
     
    Sign In to Vote
    0

    Hello ,

    I had similar issue with windows 7 machine.But when i reboot the machine in safe mode with networking i dont see any ARP request coming in.

    I guess this is due to some 3rd party service which may be causing this issue.

    Its not a dell machine.

     

    Thanks
    Rajesh

     
  • Tuesday, June 21, 2011 9:38 PM
    Owner
     
     
    Sign In to Vote
    0

    Yes, that is more than likely the case.

    Paul

     
  • Wednesday, August 10, 2011 3:38 PM
     
     
    Sign In to Vote
    1

    I had a similar issue with computers sending ARP requests for IP addresses that are no longer being used. I looked at some old logs and the IP addresses were for some old printers that we had on the network.

    The only problem was when I went to one of the computers that was sending the ARP requests, the old printers were not shown as installed under Printers.

    I started looking at some of the printers that were installed and when I reviewed the PORT settings I saw that there were some TCP/IP PORTs set up for the old printers. The old TCP/IP printer ports were not being used by any printer, but the computer was still sending ARP requests for those IP addresses.

    The other ARP requests on my network that are an issue, is related to managed software. The client software is looking for an old server to send it's status to, but the old server isn't running any more. I have to reconfigure the clients.

     
  • Tuesday, August 07, 2012 2:39 PM
     
     
    Sign In to Vote
    0

    Accessing some NetGear routers (WNDR4500 and others) with a browser will install an application on your computer called Desktop NetGear Genie. This application will cause non-stop ARP requests from the computer on which Genie is installed - in my case, a Windows 7 Pro workstation. Exiting the application in the system tray caused the ARP requests to cease.

     
  • Wednesday, May 01, 2013 2:32 AM
     
     
    Sign In to Vote
    0
    Thanks, we deleted the old printers from our print server but ARP's were still being broadcast.  Didnt even think about deleting the printer ports as they were no longer attached to anything.  As soon as we deleted these old TCP/IP Printer Ports from the print server the ARP's imediately downsized.  Didn't even have to restart the spooler.  Greatly appreciated.