ARP Scans

Hi

In our network, some hosts behave quite strange:
They produce between 1000-30000 arp "who-has" packages per day. our
gateway and dns-server have only around 500.

is there an other explaination than an arp scan (any normal application)?

thanks

chganser

ch ganser <(E-Mail Removed)> wrote:
> Hi

> In our network, some hosts behave quite strange:
> They produce between 1000-30000 arp "who-has" packages per day. our
> gateway and dns-server have only around 500.

> is there an other explaination than an arp scan (any normal application)?

Usually M$ boxes tend to be quite shatty...

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

ch ganser wrote:
> Hi
>
> In our network, some hosts behave quite strange:
> They produce between 1000-30000 arp "who-has" packages per day. our
> gateway and dns-server have only around 500.
>
> is there an other explaination than an arp scan (any normal application)?
>
> thanks
>
> chganser
>
Sure, linux by default makes sure that entries in the arp cache are
good. If you have a large network, with lots of machines on a
particular network segment (read: reachable via arp), then you will tend
to have a large arp cache on each linux box. If those machines don't
produce alot of traffic, or if your network is segmented with switch in
such a way that the linux boxes don't see that traffic, then they will
periodically send out arp requests to veryify the entires are still
good. Its quite easy on a network with a high degree of segmentation
(via switches) to have a linux box produce the number of arps you
mention. Theres nothing wrong it. If you feel that its unneeded
traffic on your network however, its also fairly easy to tune down. In
/proc/sys/net/ipv4/neigh you will find several directories, 1 for each
network interface on a system, plus a default (aka "all interfaces")
directory. In these directories are several files allowing for the
tuning of arp behavior (if you are unfamiliar with the proc filesystem,
these are also settable via the sysctl interface). The values in these
files are documented in section 7 of the arp man page (man 7 arp). Here
you can do all sorts of things like changing the number of entries
allowed in the arp table, thresholds before the garbage collector runs,
times to wait before verifying addresses, etc.

HTH
Neil

--
Neil Horman
Red Hat, Inc., http://people.redhat.com/nhorman
gpg keyid: 1024D / 0x92A74FA1, http://www.keyserver.net

I'm not sure if this is the same thing as the OP is seeing, but
I'm on cable modem with a linux router, and I see regular arp scans
searching the whole subnet sequentially. All this is coming from
just a few hosts (not mine). I've seen explainations that this
is one or more of the many MS virii spewing stuff.

Chris

--
Chris Richmond | I don't speak for Intel & vise versa

Chris Richmond - MD6-FDC ~ wrote:
> I'm not sure if this is the same thing as the OP is seeing, but
> I'm on cable modem with a linux router, and I see regular arp scans
> searching the whole subnet sequentially. All this is coming from
> just a few hosts (not mine). I've seen explainations that this
> is one or more of the many MS virii spewing stuff.
>
> Chris
>
I've not seen that myself, but it certainly seems plausable. I suppose
it could also be the ISP, scanning their network ensuring no one is
using an ip address they did not assign. I'd call the ISP and let them
know.
Neil

--
Neil Horman
Red Hat, Inc., http://people.redhat.com/nhorman
gpg keyid: 1024D / 0x92A74FA1, http://www.keyserver.net

thanks neil and michael

but thought the computer should only verify the entries he uses and not
try to verify the hole subnet before even using it. or am i wrong?

we use a private b-network behind a nat/pat bridged over severeal
locations and all ports are switched (the network design is not our
choice). currently only 2750 ips out of the b-network are used by dhcps.
strange is, that some computers try to resolve macs for ips, that have
never be used.

do all os'es behave like neil said? i though if a mac is older than
10min the computer sends a who-has package if he needs to make a
connection. no active behavior.

thanks allot!

christoph

Neil Horman wrote:
> ch ganser wrote:
>
>> Hi
>>
>> In our network, some hosts behave quite strange:
>> They produce between 1000-30000 arp "who-has" packages per day. our
>> gateway and dns-server have only around 500.
>>
>> is there an other explaination than an arp scan (any normal application)?
>>
>> thanks
>>
>> chganser
>>
> Sure, linux by default makes sure that entries in the arp cache are
> good. If you have a large network, with lots of machines on a
> particular network segment (read: reachable via arp), then you will tend
> to have a large arp cache on each linux box. If those machines don't
> produce alot of traffic, or if your network is segmented with switch in
> such a way that the linux boxes don't see that traffic, then they will
> periodically send out arp requests to veryify the entires are still
> good. Its quite easy on a network with a high degree of segmentation
> (via switches) to have a linux box produce the number of arps you
> mention. Theres nothing wrong it. If you feel that its unneeded
> traffic on your network however, its also fairly easy to tune down. In
> /proc/sys/net/ipv4/neigh you will find several directories, 1 for each
> network interface on a system, plus a default (aka "all interfaces")
> directory. In these directories are several files allowing for the
> tuning of arp behavior (if you are unfamiliar with the proc filesystem,
> these are also settable via the sysctl interface). The values in these
> files are documented in section 7 of the arp man page (man 7 arp). Here
> you can do all sorts of things like changing the number of entries
> allowed in the arp table, thresholds before the garbage collector runs,
> times to wait before verifying addresses, etc.
>
> HTH
> Neil
>