constant arp requests and answers

HI
While running tcpdump on my local 6 machine home network I am
seeing arp requests in larger numbers then I would expect. With a
decent sized arp cache I would assume arp requests from a machine only
appear every 15 min or so. But I am seeing the same requests every 2
min or less.
Is this unusual?

The machines tet and dun are winxp others are Centos.
pub is the firewall, pri is the master.

20:21:49.633577 arp who-has pub tell pri
20:22:46.117543 arp who-has pub tell pri
20:23:49.169974 arp who-has pub tell pri
20:26:01.051241 arp who-has pub tell pri
20:26:51.452774 arp who-has pub tell pri
20:27:41.633290 arp who-has pub tell pri
20:28:31.787810 arp who-has pub tell pri
20:32:44.990565 arp who-has pub tell pri
20:38:26.857523 arp who-has pub tell pri
20:39:47.193187 arp who-has pub tell pri
20:40:57.189045 arp who-has pub tell pri
20:43:01.577778 arp who-has pub tell pri
20:44:47.243214 arp who-has pub tell pri
20:48:45.056924 arp who-has pub tell pri

complete listing

20:21:49.633577 arp who-has pub tell pri
20:21:51.617225 arp who-has tet tell pub
20:21:58.329433 arp who-has pri tell pub
20:22:28.379295 arp who-has nor tell pri
20:22:45.983822 arp who-has tet tell pub
20:22:46.117543 arp who-has pub tell pri
20:23:02.184936 arp who-has pri tell pub
20:23:08.638124 arp who-has tet tell pri
20:23:41.744261 arp who-has tet tell pub
20:23:49.169974 arp who-has pub tell pri
20:24:28.512762 arp who-has tet tell pub
20:24:36.124272 arp who-has pri tell nor
20:25:08.636551 arp who-has tet tell pri
20:25:19.344771 arp who-has tet tell pub
20:26:01.019887 arp who-has tet tell pub
20:26:01.051241 arp who-has pub tell pri
20:26:38.175255 arp who-has pub tell dun
20:26:42.843947 arp who-has tet tell pub
20:26:43.415882 arp who-has dun tell pub
20:26:43.435886 arp who-has pri tell pub
20:26:51.452774 arp who-has pub tell pri
20:27:25.063983 arp who-has dun tell pub
20:27:27.620677 arp who-has tet tell pub
20:27:38.258292 arp who-has pub tell nor
20:27:41.633290 arp who-has pub tell pri
20:27:43.332824 arp who-has nor tell pub
20:28:11.258494 arp who-has pub tell nor
20:28:12.396408 arp who-has tet tell pub
20:28:31.787810 arp who-has pub tell pri
20:28:48.518152 arp who-has dun tell pub
20:28:55.706298 arp who-has pri tell pub
20:28:57.173123 arp who-has tet tell pub
20:29:08.635401 arp who-has tet tell pri
20:29:41.948850 arp who-has tet tell pub
20:30:26.725574 arp who-has tet tell pub
20:30:56.738038 arp who-has pri tell pub
20:31:00.089687 arp who-has tet tell pub
20:31:08.630815 arp who-has tet tell pri
20:31:33.889662 arp who-has tet tell pub
20:32:04.751021 arp who-has tet tell pub
20:32:12.785415 arp who-has dun tell tet
20:32:12.785507 arp who-has tet tell dun
20:32:12.798895 arp who-has nor tell tet
20:32:32.799711 arp who-has nor tell pri
20:32:39.934063 arp who-has pub tell dun
20:32:41.052737 arp who-has tet tell pub
20:32:44.989270 arp who-has dun tell pub
20:32:44.990565 arp who-has pub tell pri
20:33:08.628224 arp who-has tet tell pri
20:33:20.341111 arp who-has tet tell pub
20:33:48.216816 arp who-has tet tell pub
20:33:50.165589 arp who-has pri tell pub
20:34:22.557785 arp who-has tet tell pub
20:34:55.380902 arp who-has tet tell pub
20:35:08.625655 arp who-has tet tell pri
20:35:33.487376 arp who-has dun tell pri
20:35:33.498595 arp who-has nor tell dun
20:35:33.522020 arp who-has tet tell dun
20:35:39.032642 arp who-has dun tell nor
20:35:39.338719 arp who-has tet tell pub
20:35:58.518450 arp who-has pri tell pub
20:36:07.338426 arp who-has tet tell pub
20:36:46.194466 arp who-has pub tell dun
20:36:47.339708 arp who-has tet tell pub
20:36:51.194252 arp who-has dun tell pub
20:37:29.684718 arp who-has tet tell pub
20:37:38.498135 arp who-has nor tell pri
20:37:57.418438 arp who-has tet tell pub
20:38:03.674383 arp who-has pri tell tet
20:38:08.674248 arp who-has tet tell pri
20:38:26.598000 arp who-has tet tell pub
20:38:26.857523 arp who-has pub tell pri
20:38:53.069873 arp who-has tet tell pub
20:39:24.060236 arp who-has tet tell pub
21:39:47.193187 arp who-has pub tell pri
20:39:52.248897 arp who-has pri tell pub
20:40:00.919872 arp who-has tet tell pub
20:40:53.614651 arp who-has tet tell pub
20:40:57.189045 arp who-has pub tell pri
20:41:02.460614 arp who-has pri tell pub
20:41:08.619847 arp who-has tet tell pri
20:41:38.389377 arp who-has tet tell pub
20:41:41.125138 arp who-has nor tell pri
20:41:46.125717 arp who-has pri tell nor
20:42:23.165107 arp who-has tet tell pub
20:42:45.465647 arp who-has nor tell pri
20:42:55.186748 arp who-has pub tell dun
20:43:01.457605 arp who-has dun tell pub
20:43:01.577778 arp who-has pub tell pri
20:43:07.030952 arp who-has pri tell pub
20:43:07.939848 arp who-has tet tell pub
20:43:18.791988 arp who-has tet tell pri
20:44:24.429838 arp who-has dun tell pub
20:44:30.334155 arp who-has pri tell pub
20:44:37.496310 arp who-has tet tell pub
20:44:42.259685 arp who-has pub tell nor
20:44:47.243214 arp who-has pub tell pri
20:44:47.333150 arp who-has nor tell pub
20:45:14.257483 arp who-has pub tell nor
20:45:14.319973 arp who-has pri tell pub
20:45:32.199879 arp who-has tet tell pub
20:46:02.721518 arp who-has pub tell pri
20:46:23.835809 arp who-has tet tell pub
20:46:49.849742 arp who-has pri tell pub
20:47:03.616495 arp who-has pri tell tet
20:47:08.616146 arp who-has tet tell pri
20:47:14.212878 arp who-has tet tell pub
20:47:45.436753 arp who-has nor tell pri
20:47:50.289630 arp who-has pri tell pub
20:48:02.179235 arp who-has tet tell pub
20:48:45.056924 arp who-has pub tell pri
20:48:47.364918 arp who-has tet tell pub
20:48:50.270577 arp who-has pri tell pub
20:49:39.621771 arp who-has tet tell pub
20:50:03.662975 arp who-has pri tell tet
20:50:08.662794 arp who-has tet tell pri


Thanks
Jim

(E-Mail Removed) wrote:

> HI
> While running tcpdump on my local 6 machine home network I am
> seeing arp requests in larger numbers then I would expect. With a
> decent sized arp cache I would assume arp requests from a machine only
> appear every 15 min or so. But I am seeing the same requests every 2
> min or less.
> Is this unusual?
>
> The machines tet and dun are winxp others are Centos.
> pub is the firewall, pri is the master.
>
> 20:21:49.633577 arp who-has pub tell pri
> 20:22:46.117543 arp who-has pub tell pri
> 20:23:49.169974 arp who-has pub tell pri
> 20:26:01.051241 arp who-has pub tell pri
> 20:26:51.452774 arp who-has pub tell pri
> 20:27:41.633290 arp who-has pub tell pri
> 20:28:31.787810 arp who-has pub tell pri
> 20:32:44.990565 arp who-has pub tell pri
> 20:38:26.857523 arp who-has pub tell pri
> 20:39:47.193187 arp who-has pub tell pri
> 20:40:57.189045 arp who-has pub tell pri
> 20:43:01.577778 arp who-has pub tell pri
> 20:44:47.243214 arp who-has pub tell pri
> 20:48:45.056924 arp who-has pub tell pri

It depends. If the requester never gets an answer (as it seems in your
case), it may keep asking.

On Jan 14, 1:13*am, pk <p...@pk.invalid> wrote:
> nc...@hoodcanal.com wrote:
> > HI
> > * While running tcpdump on my local 6 machine home network I am
> > seeing *arp requests in larger numbers then I would expect. *With a
> > decent sized arp cache I would assume arp requests from a machine only
> > appear every 15 min or so. *But I am seeing the same requests every 2
> > min or less.
> > * Is this unusual?
>
> > *The machines tet and dun are winxp others are Centos.
> > pub is the firewall, pri is the master.
>
> > 20:21:49.633577 arp who-has pub tell pri
> > 20:22:46.117543 arp who-has pub tell pri
> > 20:23:49.169974 arp who-has pub tell pri
> > 20:26:01.051241 arp who-has pub tell pri
> > 20:26:51.452774 arp who-has pub tell pri
> > 20:27:41.633290 arp who-has pub tell pri
> > 20:28:31.787810 arp who-has pub tell pri
> > 20:32:44.990565 arp who-has pub tell pri
> > 20:38:26.857523 arp who-has pub tell pri
> > 20:39:47.193187 arp who-has pub tell pri
> > 20:40:57.189045 arp who-has pub tell pri
> > 20:43:01.577778 arp who-has pub tell pri
> > 20:44:47.243214 arp who-has pub tell pri
> > 20:48:45.056924 arp who-has pub tell pri
>
> It depends. If the requester never gets an answer (as it seems in your
> case), it may keep asking.

Sorry PK

I had edited the output to show only the request hoping that would
make the time easier to see.
Here's a normal output from
tcpdump -i eth0 | grep " arp "

07:59:08.124858 arp who-has pri tell pub
07:59:08.124894 arp reply pri is-at 00:0c:6e:ec:68:e2 (oui Unknown)
07:59:08.356098 arp who-has tet tell pri
07:59:08.356298 arp reply tet is-at 00:1f:d0:5d:23:62 (oui Unknown)
07:59:27.823456 arp who-has pub tell pri
07:59:27.823656 arp reply pub is-at 00:18:f8:0c:9e:a6 (oui Unknown)
07:59:50.345871 arp who-has tet tell pub
07:59:50.345972 arp reply tet is-at 00:1f:d0:5d:23:62 (oui Unknown)
08:00:36.375433 arp who-has tet tell pub
08:00:36.375539 arp reply tet is-at 00:1f:d0:5d:23:62 (oui Unknown)
08:00:40.656527 arp who-has nor tell pri
08:00:40.656734 arp reply nor is-at 00:13:72:77:48:54 (oui Unknown)
08:01:02.862308 arp who-has pri tell pub
08:01:02.862328 arp reply pri is-at 00:0c:6e:ec:68:e2 (oui Unknown)
08:01:08.354454 arp who-has tet tell pri
08:01:08.354658 arp reply tet is-at 00:1f:d0:5d:23:62 (oui Unknown)
08:01:22.645957 arp who-has tet tell pub
08:01:22.646050 arp reply tet is-at 00:1f:d0:5d:23:62 (oui Unknown)
08:01:22.706455 arp who-has pub tell pri
08:01:22.706636 arp reply pub is-at 00:18:f8:0c:9e:a6 (oui Unknown)
08:01:54.800161 arp who-has pri tell pub
08:01:54.800181 arp reply pri is-at 00:0c:6e:ec:68:e2 (oui Unknown)
08:01:59.836041 arp who-has pub tell pri
08:01:59.836231 arp reply pub is-at 00:18:f8:0c:9e:a6 (oui Unknown)

Jim

(E-Mail Removed) <(E-Mail Removed)> wrote:
> While running tcpdump on my local 6 machine home network I am
> seeing arp requests in larger numbers then I would expect. With a
> decent sized arp cache I would assume arp requests from a machine
> only appear every 15 min or so. But I am seeing the same requests
> every 2 min or less.
> Is this unusual?

Depends on the various stacks' settings for ARP cache aging.

rick jones
--
Process shall set you free from the need for rational thought.
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On January 14, 2011 13:22, in comp.os.linux.networking, (E-Mail Removed)
wrote:

> (E-Mail Removed) <(E-Mail Removed)> wrote:
>> While running tcpdump on my local 6 machine home network I am
>> seeing arp requests in larger numbers then I would expect. With a
>> decent sized arp cache I would assume arp requests from a machine
>> only appear every 15 min or so. But I am seeing the same requests
>> every 2 min or less.
>> Is this unusual?
>
> Depends on the various stacks' settings for ARP cache aging.

Which, for Linux 2.6 kernels, can be set by altering the contents of
various /proc/sys/net/ipv4/neigh/*/* files


--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------

On Jan 14, 11:13*am, Lew Pitcher <lpitc...@teksavvy.com> wrote:
> On January 14, 2011 13:22, in comp.os.linux.networking, rick.jon...@hp.com
> wrote:
>
> > nc...@hoodcanal.com <hoodcanal...@usa.com> wrote:
> >> * While running tcpdump on my local 6 machine home network I am
> >> seeing arp requests in larger numbers then I would expect. *With a
> >> decent sized arp cache I would assume arp requests from a machine
> >> only appear every 15 min or so. *But I am seeing the same requests
> >> every 2 min or less.
> >> * Is this unusual?
>
> > Depends on the various stacks' settings for ARP cache aging.
>
> Which, for Linux 2.6 kernels, can be set by altering the contents of
> various /proc/sys/net/ipv4/neigh/*/* files
>
> --
> Lew Pitcher
> Master Codewright & JOAT-in-training * | Registered Linux User #112576
> Me:http://pitcher.digitalfreehold.ca/| Just Linux:http://justlinux.ca/
> ---------- * * *Slackware - Because I know what I'm doing. * * * * ------

Rick & Lew

Thanks for the answers. I am still a bit fuzzy on what is normal but
I'll look into the proc/... files

Jim

On Fri, 14 Jan 2011, in the Usenet newsgroup comp.os.linux.networking, in
article <5564c69d-6f36-4e20-b75a-(E-Mail Removed)>,
(E-Mail Removed) wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>Lew Pitcher <lpitc...@teksavvy.com> wrote:

>> rick.jon...@hp.com wrote:

>>> nc...@hoodcanal.com <hoodcanal...@usa.com> wrote:

>>>> With a decent sized arp cache I would assume arp requests from a
>>>> machine only appear every 15 min or so. But I am seeing the same
>>>> requests every 2 min or less.

What is in the arp cache? '/sbin/arp -a'

>>>> Is this unusual?

>>> Depends on the various stacks' settings for ARP cache aging.

and how often some application wants to see "who's out there"?

>> Which, for Linux 2.6 kernels, can be set by altering the contents
>> of various /proc/sys/net/ipv4/neigh/*/* files

>I am still a bit fuzzy on what is normal but I'll look into the
>proc/... files

0826 Ethernet Address Resolution Protocol: Or Converting Network
Protocol Addresses to 48.bit Ethernet Address for Transmission
on Ethernet Hardware. D. Plummer. November 1982. (Format:
TXT=21556 bytes) (Updated by RFC5227, RFC5494) (Also STD0037)
(Status: STANDARD)

1122 Requirements for Internet Hosts - Communication Layers. R.
Braden, Ed.. October 1989. (Format: TXT=295992 bytes) (Updates
RFC0793) (Updated by RFC1349, RFC4379, RFC5884) (Also STD0003)
(Status: STANDARD)

Use the search engine, and look for RFC1122 (and friends), then read
section 2.3.2. BRIEFLY - there is no "standard", but RFC1122 requires
the host to flush ``out-of-date'' ARP entries, and _suggests_ a timeout
on the order of a minute. It's a trade-off between having current
verses possibly wrong data and wasted space. If your hosts ALWAYS have
the same IP address, and different hosts are never assigned the same
address (one at a time) over long periods, then you can lengthen the
ARP timeout with little concern. On the other hand, an ARP request
and reply aren't taking up that much space on the wire, so there may
be little incentive to change the timeouts. RFC0826 also discusses
the rational.

Old guy

>
> * * * * Old guy

Thanks everyone

I've been reading about ARP and have decided to let the system take
care of its own. I concidered changing settings and even setting a
static arp cache. But, no thats going a bit too far

appreciate the help and information
Jim