Monday, January 04, 2010 10:30 AMHi Friends,
in my LAN i have 9 laptops, OS installed on them are:
2 Windows 7
1 Windows vista
rest have XP professional.
all are getting internet connection and IP address from a SMC router.
the problem is that i am getting continous ARP request from vista PC, and request for unknown IP address not in my network.
No. Time Source Destination Protocol Info
1 0.000000 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.10? Tell 172.16.1.105
2 0.621020 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.222? Tell 172.16.1.105
3 0.625947 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.69? Tell 172.16.1.105
4 0.626831 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.171? Tell 172.16.1.105
5 0.634700 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.19? Tell 172.16.1.105
6 0.893075 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.126? Tell 172.16.1.105
7 1.394110 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.10? Tell 172.16.1.105
8 1.399013 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.222? Tell 172.16.1.105
9 1.399779 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.69? Tell 172.16.1.105
10 1.402145 HonHaiPr_30:6d:7c Broadcast ARP Who has 172.16.1.171? Tell 172.16.1.105
Monday, January 04, 2010 2:42 PMOwner
My guess is that you have some process on that Vista machine that is requesting these addresses. I would boot in safe mode with networking and see if the requests go away. If so, you know that it's some process, but since ARP is serviced by the OS, you won't be able to use process tracking to determine the sender. To narrow this down, you'll have to shut down processes and services to find out where this traffic is coming from.
Saturday, January 23, 2010 7:04 PMI have a similar problem as well. However, with 5,000 machines and 24 metropolitan locations I can hardly go disabling interfaces one at a time. Unfortunately, I also enjoy a public schools budget for instrumentation...
The scenario is as follows: A segment (30 main ip segments) starts to get multiple, repeating patterns of arp requests. All requests originate from the router MAC address. On bad days, several score of requests will burst out every few seconds over several segments. Ugly. Again, hundreds of request bursts for maybe twenty individual ip addresses, over and over and over. No replies.
From first post above "unknown address not in my network". The addresses I am sniffing (Who is w.x.y.z?), are addresses on segment, but are turned off existing machines. Each site has at least 150 XP boxes, some three times that. By the router address, I must assume the requests are coming from off-segment. Which one? Lengthy troubleshooting processes come to mind.
A global "clear arp" command on the router causes a brief period of calm, but the requests soon re-start in frequency, not an unexpected pattern if this is originating from a workstation/server.
Wild card #2: Blade VM-Ware server farms. Makes for an interesting challenge to "catch" arp requests over a 10Gb multi-vlan pipe. I also use the good, but freeware (did I mention K-12?), Wireshark.
I'd be quite interested, quite, should an XP or Vista process end up being the culprit. I can kill processes remotely, and eliminate their re-plaguing of the net. So, my questions of the original poster would also revolve around process, and culprit OS.
Of course, it could be a Microsoft set-up thing, or a "this behavior is by design" OS pattern, a favorite phrase used in MS docs when things don't seem --- intuitive --- to some of us.
Or, these two ARP symptoms could be entirely unrelated.
Next efforts: Start up one of the targeted ip address hosts and trace carefully who hits it during/after the boot/login processes.
Sniff each segment looking for the requester.
Wireshark every DC and/or server, blade or not, for arp requests. Note, Wireshark does extract a rather large pound of cpu flesh on some already-stressed servers.
Play some more with the Foundry RX8's packet and arp debugging offerings.
Play some more with SFLOW to get at least some isolation of ARP requests/segment where I have that capability.
Retire five years early...
Keep me informed. Should I stumble across the answer, I'll get back.
Tuesday, February 23, 2010 2:47 AMI had a similar issue on a Windows 7 machine and found that it was the (Dell) Advanced Networking Service that was causing the arp requests to be generated. Ive disabled it and they disappeared.
I havent seen any problems surface by disabling this.
Friday, March 05, 2010 1:10 PMDude, I love you. I've got a Dell machine here that was flooding the LAN with ARP requests continually. Download speeds on this machine were intolerable, and it was impacting everyone else as well. You've just saved me from throwing this thing out the window. As soon as I disabled it the ARP flood disappeared and suddenly instead of getting download speeds of 12kb a second I'm up at full speed. You rock!
Thursday, July 01, 2010 12:50 PM
I had a similar issue on a Windows 7 machine and found that it was the (Dell) Advanced Networking Service that was causing the arp requests to be generated. Ive disabled it and they disappeared.
I havent seen any problems surface by disabling this.
Ok, me too, but how do I disable " (Dell) Advanced Networking Service" ???
Subnet Calculator / Planner Serial Port
Thursday, July 01, 2010 2:30 PMOwner
Usually services will show up in Service Manager. Perhaps you can find the service there and stop it. You might also consider coantacting Dell directly as they should have the information about that service and perhaps help you stop or resolve this issue.
One way to access service manager is right click on My Computer in the Start menu and choose "Manage". There should be a Services item on the left side.
Friday, July 02, 2010 10:48 AM
Friday, July 02, 2010 2:25 PMOwnerDo you have a Dell machine? Perhaps you problem is slightly different and there is a similar service creating the same kind of traffic. I suppose you could just look for services that aren't MS and stop them. But I would contact your computer manufacture for more support as I'm probably not the best person to help you.
Friday, July 02, 2010 2:31 PM
Monday, October 18, 2010 7:20 PMI just noticed this happening on my computer. I had to manually disable services. The problem was related to the Print Spooler. When I disabled that it stopped sending all the massive ARP requests. I dont know exactly why but the print spooler was causing it.
Thursday, January 13, 2011 8:59 PMhow did you disable it?
Tuesday, June 07, 2011 4:43 PM
More than likely you had old network printers , or a printer, that had been configured at IPs that were no longer valid. Deleting the old printers and/or copies of printers will fix it.
When I discovered a computer on our network doing this I came across this forum, and therefore your post, which gave me the idea to check the guys printer list. Two old copies of the downstairs printer were still there, both with pending prints showing. Checking the ports on each showed the two IP address the machine had been sending out packets for.
I know this is an old post, but.... someone else might come along later with the same problem.
- Marked As Answer by Michael_HawkerMicrosoft Employee, Moderator Wednesday, August 10, 2011 9:01 PM
Tuesday, June 07, 2011 4:55 PM
I know this is old, but to answer your question You can click start/run (xp) and type services.msc, find print spooler in the list, and right click , go to properties and from there you can start/stop/change starup type or enable/disable.
On vista and win 7 you just type it in the box after you click the "start" button. However if you do have a problem wtih the print spooler sending out these requests, see my reply to the post above yours. You probably just need to delete network printers that no longer exist in your environment, or have changed IP addresses and the old (now misconfigured) copies of the printer are still on the computer... especially if these have pending print jobs that never printed due to not being able to find the printer.... Windows is still looking for those printers,, hence the arp requests.
Tuesday, June 21, 2011 9:18 AM
I had similar issue with windows 7 machine.But when i reboot the machine in safe mode with networking i dont see any ARP request coming in.
I guess this is due to some 3rd party service which may be causing this issue.
Its not a dell machine.
Tuesday, June 21, 2011 9:38 PMOwner
Yes, that is more than likely the case.
Wednesday, August 10, 2011 3:38 PM
I had a similar issue with computers sending ARP requests for IP addresses that are no longer being used. I looked at some old logs and the IP addresses were for some old printers that we had on the network.
The only problem was when I went to one of the computers that was sending the ARP requests, the old printers were not shown as installed under Printers.
I started looking at some of the printers that were installed and when I reviewed the PORT settings I saw that there were some TCP/IP PORTs set up for the old printers. The old TCP/IP printer ports were not being used by any printer, but the computer was still sending ARP requests for those IP addresses.
The other ARP requests on my network that are an issue, is related to managed software. The client software is looking for an old server to send it's status to, but the old server isn't running any more. I have to reconfigure the clients.
Tuesday, August 07, 2012 2:39 PM
Accessing some NetGear routers (WNDR4500 and others) with a browser will install an application on your computer called Desktop NetGear Genie. This application will cause non-stop ARP requests from the computer on which Genie is installed - in my case, a Windows 7 Pro workstation. Exiting the application in the system tray caused the ARP requests to cease.
Wednesday, May 01, 2013 2:32 AMThanks, we deleted the old printers from our print server but ARP's were still being broadcast. Didnt even think about deleting the printer ports as they were no longer attached to anything. As soon as we deleted these old TCP/IP Printer Ports from the print server the ARP's imediately downsized. Didn't even have to restart the spooler. Greatly appreciated.