Using my Fluke network monitor I will notice that ARP is running anywhere from 50% to 75%. While IP is around 30% to 50%. I can't seem to find any rime or reason for this high ARP traffic. It comes and goes at random lasting anywhere from two minutes to hours.
We are currently a single NT4 domain with about 500 nodes running a mixed NT4 workstation & Windows 2000 Pro on a switched network, with both Netbeui and IP protocols active. We are also a part of Trust in an Active Directory.
- You have a worm of some sort that is using the ARP mechanisms to propagate. Variants of Code Red cause ARP flooding.
- Somehow your hosts are not properly caching ARP data and constantly expiring it, possibly generating per-packet requests. I can't see how but it may be some consequence of an overly secure Trust configuration on Active Directory.
I would also sniff the packets to determine if a few hosts are responsible or all of them.
This was first published in February 2004