ARP packets usage

I ran Ethereal and captures all packets for 1 minute and 49 seconds.
These are the results I got:

-------------------
Total 503

TCP 353 70.2%
UDP 15 3.0%
ICMP 13 2.6%
ARP 122 24.3%

Running time: 00:01:49
--------------------

Is this a normal ARP packet percentage? It seems a bit high to me.

Thanks,
Philippe Signoret West

On Oct 25, 12:37 am, Philippe Signoret <philippe.signo...@gmail.com>
wrote:
> I ran Ethereal and captures all packets for 1 minute and 49 seconds.
> These are the results I got:
>
> -------------------
> Total 503
>
> TCP 353 70.2%
> UDP 15 3.0%
> ICMP 13 2.6%
> ARP 122 24.3%
>
> Running time: 00:01:49
> --------------------
>
> Is this a normal ARP packet percentage? It seems a bit high to me.
>
> Thanks,
> Philippe Signoret West

It also seems a bit high to me, Beware of ARP packets because it may
used to sniff the traffic between 2 hosts or to cut the connections
between 2 hosts, As known as ARP poisoning or ARP spoofing, And also
there are some Windows viruses that use this protocol to halt the
Internet connections inside the whole lan, And I think you are sure if
your LAN is trusted or not, If it is not trusted so beware what those
packets may used for? Any way check if the values that the sniffer
gives you are valid and correct or not?

On Wed, 24 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed) .com>, Philippe
Signoret wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>I ran Ethereal and captures all packets for 1 minute and 49 seconds.

What network? What is on this network?

>TCP 353 70.2%
>UDP 15 3.0%
>ICMP 13 2.6%
>ARP 122 24.3%

Fairly quiet - but without knowing _what_ you are looking at, it is
difficult to say if this is normal or not. For example, if you
are looking at a DSL connection, you are not likely to see any
mono-cast traffic (traffic to/from a single IP address) that is not
directed at your host. But you will _PROBABLY_ see all _broadcast_
traffic, where the router/switch does not know if "you" are the
destination or not.

>Is this a normal ARP packet percentage? It seems a bit high to me.

Not enough information. The other question is what operating system
are the hosts running? That may also have impact on the traffic.

Old guy

Moe Trin wrote:
> On Wed, 24 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
> article <(E-Mail Removed) .com>, Philippe
> Signoret wrote:
>
> NOTE: Posting from groups.google.com (or some web-forums) dramatically
> reduces the chance of your post being seen. Find a real news server.
>
>> I ran Ethereal and captures all packets for 1 minute and 49 seconds.
>
> What network? What is on this network?
>
>> TCP 353 70.2%
>> UDP 15 3.0%
>> ICMP 13 2.6%
>> ARP 122 24.3%
>
> Fairly quiet - but without knowing _what_ you are looking at, it is
> difficult to say if this is normal or not. For example, if you
> are looking at a DSL connection, you are not likely to see any
> mono-cast traffic (traffic to/from a single IP address) that is not
> directed at your host. But you will _PROBABLY_ see all _broadcast_
> traffic, where the router/switch does not know if "you" are the
> destination or not.
>
>> Is this a normal ARP packet percentage? It seems a bit high to me.
>
> Not enough information. The other question is what operating system
> are the hosts running? That may also have impact on the traffic.
>
> Old guy
>
little question don't routers split up broadcast domains ?
and thus broadcasts from the WAN side shouldn't be forwarded to the LAN
or does that in general only occurs in the reverse (eg from LAN -> WAN) ?

> NOTE: Posting from groups.google.com (or some web-forums) dramatically
> reduces the chance of your post being seen. Find a real news server.
Which one can I use for free?

> >I ran Ethereal and captures all packets for 1 minute and 49 seconds.
> What network? What is on this network?
My home wireless network.

> >Is this a normal ARP packet percentage? It seems a bit high to me.
> Not enough information. The other question is what operating system
> are the hosts running? That may also have impact on the traffic.
Most hosts (5 of them) are running Windows XP, one Ubuntu Linux. Linux
and two Windows XP are wired, others are wireless.

On Thu, 25 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <4720f999$0$22312$(E-Mail Removed)>, goarilla wrote:

>Moe Trin wrote:

>> Fairly quiet - but without knowing _what_ you are looking at, it is
>> difficult to say if this is normal or not. For example, if you
>> are looking at a DSL connection, you are not likely to see any
>> mono-cast traffic (traffic to/from a single IP address) that is not
>> directed at your host. But you will _PROBABLY_ see all _broadcast_
>> traffic, where the router/switch does not know if "you" are the
>> destination or not.

>little question don't routers split up broadcast domains ?

Classic routers - your big boxes from Cisco, Foundry, and others,
that follow RFC1812 do not forward broadcasts - because the network
address ranges are different on the various interfaces. See sections
5.3.4. and 5.3.5 et.seq. for details.

1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
(Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated
by RFC2644) (Status: PROPOSED STANDARD)

The "routers" normally found in the home behave differently, because
they are not routers in the classic sense. In many cases, they are
doing port/IP translating, such that you have a non-routable (RFC1918)
address on your side, and can have multiple systems that appear on
the Internet as one. In other cases, they are behaving more like
Ethernet switches, separating traffic (collision domains) between the
ISP side and your system[s]. On Monday, you asked this question in
the thread "Do MAC addresses go to internet?", and in my response
(Message-Id: <(E-Mail Removed)>) I suggested
trying to use a packet sniffer to see what's on your wires. Did this
not work?

>and thus broadcasts from the WAN side shouldn't be forwarded to the LAN
>or does that in general only occurs in the reverse (eg from LAN -> WAN) ?

The only time a "router" should forward broadcasts (other than DHCP
requests when the router is configured as a DHCP Relay Agent - see
RFC1542 et.seq.) is when it is not acting as a classic router per
RFC1812. ARP packets are not forwarded by such routers, because the
Ethernet concept doesn't need the "end" MAC address, but it DOES need
the MAC address of the "next hop". As far as ARP is concerned, the only
time an ARP request is forwarded is in Proxy-ARP where the "router" is
attempting to make it appear that a system on a separate interface but
using the same IP range is on the local network wire. See the
"Proxy-ARP-Subnet" mini-howto

-rw-rw-r-- 1 gferg ldp 19372 Aug 28 2000 Proxy-ARP-Subnet

for additional details.

Old guy

On Thu, 25 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed) .com>,
Philippe Signoret wrote:

>> NOTE: Posting from groups.google.com (or some web-forums) dramatically
>> reduces the chance of your post being seen. Find a real news server.

>Which one can I use for free?

Some people have been using 'teranews.com' but this seems to be poorly
administered, and is subject to substantial delays (and may be in a lot
of killfiles as well - look at http://www.teranews.com). Another used is
'aioe.org' with apparently better results (sorry - don't have a URL), and
still another is motzarella.org (again - no URL). I offer no opinions
either way. There is an alternative Usenet newsgroup "alt.free.newsservers"
and another "alt.usenet.news-server-comparison" you may want to look at,
but be well aware that they are infested with trolls.

>> What network? What is on this network?

>My home wireless network.

If this is _only_ your own network, then yes - this is to high. What I
would do would be to run a packet sniffer and see who is ARPing for who.
I've never bothered using Ethereal (now called Wireshark), as it puts
to MUCH information in the "User Friendly" display, which is quite useless
for me. If you have 'tcpdump' installed, a suitable command would be

/usr/sbin/tcpdump -n -i eth0 -x arp

(though you'll probably have to run that as root). The output will look
something like

20:36:01.250000 arp who-has 192.168.1.102 tell 192.168.1.17
0001 0800 0604 0001 0020 af57 d129 c0a8
0111 0000 0000 0000 c0a8 0166

The last four double-octets in the middle line (0020 af57 d129 c0a8)
is the MAC address of the source (00:20:AF:571:29) and the first
two octets of the IP address (c0a8 = 192.168). On the last line is
the other two octets of the source IP address (0111 = 1.17 which makes
the source address 192.168.1.17), the next three pairs are zeros,
because this is the desired information (the MAC address of 192.168.1.102)
and the last two pairs (c0a8 0166) are the IP address we are searching
for "who is 192.168.1.102").

20:36:01.260000 arp reply 192.168.1.102 is-at 08:0:20:c2:e3:14
0001 0800 0604 0002 0800 20c2 e314 c0a8
0166 0020 af57 d129 c0a8 0111

There is the reply. Note that in the second and third lines, the source
and destination MAC and IP addresses are swapped, because the reply is
coming from 192.168.1.102 at 08:0:20:c2:e3:14, and is being sent to
192.168.1.17 at 00:20:af:57:d1:29.

>>> Is this a normal ARP packet percentage? It seems a bit high to me.

>> Not enough information. The other question is what operating system
>> are the hosts running? That may also have impact on the traffic.

>Most hosts (5 of them) are running Windows XP, one Ubuntu Linux. Linux
>and two Windows XP are wired, others are wireless.

I don't use windoze, but windoze is EXTREMELY talkative, and wants to
talk to every address it's ever heard of. What you may be seeing is
windoze looking for hosts listed in shares.

Old guy

Moe Trin wrote:
> On Thu, 25 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
> article <4720f999$0$22312$(E-Mail Removed)>, goarilla wrote:
>
>> Moe Trin wrote:
>
>>> Fairly quiet - but without knowing _what_ you are looking at, it is
>>> difficult to say if this is normal or not. For example, if you
>>> are looking at a DSL connection, you are not likely to see any
>>> mono-cast traffic (traffic to/from a single IP address) that is not
>>> directed at your host. But you will _PROBABLY_ see all _broadcast_
>>> traffic, where the router/switch does not know if "you" are the
>>> destination or not.
>
>> little question don't routers split up broadcast domains ?
>
> Classic routers - your big boxes from Cisco, Foundry, and others,
> that follow RFC1812 do not forward broadcasts - because the network
> address ranges are different on the various interfaces. See sections
> 5.3.4. and 5.3.5 et.seq. for details.
>
> 1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
> (Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated
> by RFC2644) (Status: PROPOSED STANDARD)
>
> The "routers" normally found in the home behave differently, because
> they are not routers in the classic sense. In many cases, they are
> doing port/IP translating, such that you have a non-routable (RFC1918)
> address on your side, and can have multiple systems that appear on
> the Internet as one. In other cases, they are behaving more like
> Ethernet switches, separating traffic (collision domains) between the
> ISP side and your system[s]. On Monday, you asked this question in
> the thread "Do MAC addresses go to internet?", and in my response
> (Message-Id: <(E-Mail Removed)>) I suggested
> trying to use a packet sniffer to see what's on your wires. Did this
> not work?
>

i did not found any MAC adresses belonging to machines other than the ones
that should be on the LAN so i guess i'm safe. but seriously i shouldn't
have to take
into account that some routers DON'T act like routers. Routers should be
routers
and conform to every letter in the rfc's

>> and thus broadcasts from the WAN side shouldn't be forwarded to the LAN
>> or does that in general only occurs in the reverse (eg from LAN -> WAN) ?
>

this was a dump question i know NO broadcasts should be forwarded
and that direction is irrelevant, but i was phishing about the posters
idea of router functionality.

> The only time a "router" should forward broadcasts (other than DHCP
> requests when the router is configured as a DHCP Relay Agent - see
> RFC1542 et.seq.) is when it is not acting as a classic router per
> RFC1812. ARP packets are not forwarded by such routers, because the
> Ethernet concept doesn't need the "end" MAC address, but it DOES need
> the MAC address of the "next hop". As far as ARP is concerned, the only
> time an ARP request is forwarded is in Proxy-ARP where the "router" is
> attempting to make it appear that a system on a separate interface but
> using the same IP range is on the local network wire. See the
> "Proxy-ARP-Subnet" mini-howto
>
> -rw-rw-r-- 1 gferg ldp 19372 Aug 28 2000 Proxy-ARP-Subnet
>
> for additional details.
>
> Old guy

i've seen this behaviour (eg MAC next hop) in packets but i've never had
somebody explain the reason for this so short and beautifully thanks

On Fri, 26 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <4721c67f$0$29248$(E-Mail Removed)>, goarilla wrote:

>Moe Trin wrote:

>> The "routers" normally found in the home behave differently, because
>> they are not routers in the classic sense. In many cases, they are
>> doing port/IP translating, such that you have a non-routable (RFC1918)
>> address on your side, and can have multiple systems that appear on
>> the Internet as one. In other cases, they are behaving more like
>> Ethernet switches, separating traffic (collision domains) between the
>> ISP side and your system[s]. On Monday, you asked this question in
>> the thread "Do MAC addresses go to internet?", and in my response
>> (Message-Id: <(E-Mail Removed)>) I suggested
>> trying to use a packet sniffer to see what's on your wires. Did this
>> not work?
>
>i did not found any MAC adresses belonging to machines other than the
>ones that should be on the LAN so i guess i'm safe.

From that particular problem - yes. I have three connections in my
house, and all have "routers" with the manufacturers labels covered by
a label from the telephone company - they sorta look like Speedstream
Bridge/Modems from 'Efficient Networks', but I can't be sure. I most
definitely see MAC addresses from other hardware.

>but seriously i shouldn't have to take into account that some routers
>DON'T act like routers. Routers should be routers and conform to every
>letter in the rfc's

Tell that to the marketing departments - both of the manufacturers such
as Alcatel, Efficient Networks, Westell (and others), and to the ISP.
Remember, we don't want to confuse the customers with big words such as
'bridge' and 'switch' which have meanings normally associated with them
from completely different venues.

>> ARP packets are not forwarded by such routers, because the Ethernet
>> concept doesn't need the "end" MAC address, but it DOES need the MAC
>> address of the "next hop". As far as ARP is concerned, the only
>> time an ARP request is forwarded is in Proxy-ARP where the "router"
>> is attempting to make it appear that a system on a separate interface
>> but using the same IP range is on the local network wire.

>i've seen this behaviour (eg MAC next hop) in packets but i've never had
>somebody explain the reason for this so short and beautifully thanks

People tend to forget that Ethernet links can carry a large number of
protocols besides IP, or even that there are different types of Ethernet
frames to begin with. _ALL_ packets on Ethernet links are using MAC
addresses for source and destination. Look at the two octet 'Type'
field (counting from zero, octets 12 and 13 in RFC0894 frames, 20 and
21 in RFC1042 frames). While this allows for 65536 types, only roughly
180 are defined (http://www.iana.org/assignments/ethernet-numbers).
This basically rules out moving packets over Ethernet by any other
means. The protocol at this level is only concerned with moving
packets between "directly" connected (I quote the word because the
media between the hosts is not important - this could be wire, fiber,
wireless of some form, or wet string) hosts. Hosts not "directly"
connected are handled by higher levels in the networking stack, no
matter if they packet contains an IP datagram, some form of Appletalk,
Novell IPX, or some ancient thing like Banyan Vines, or Xerox XNS
(all of which are routable, given appropriately configured routers).

Old guy

Philippe Signoret <(E-Mail Removed)> wrote:
> I ran Ethereal and captures all packets for 1 minute and 49 seconds.
> These are the results I got:

> -------------------
> Total 503

> TCP 353 70.2%
> UDP 15 3.0%
> ICMP 13 2.6%
> ARP 122 24.3%

> Running time: 00:01:49
> --------------------

> Is this a normal ARP packet percentage? It seems a bit high to me.

I don't know about the percentages, but will point-out that ARP
requests, since they are sent as broadcast frames, will be seen by all
stations in the broadcast domain. TCP, UDP and most ICMP will be
point-to-point, so unless you are sniffing on the equivalent of a hub
rather than a switch you may not be getting the full story about what
is on your network overall.

rick jones
--
The glass is neither half-empty nor half-full. The glass has a leak.
The real question is "Can it be patched?"
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...