Ask the Expert

What is the best way to determine the cause of an ARP saturated network?

What is the best way to determine the cause of an ARP saturated network?

Using my Fluke network monitor I will notice that ARP is running anywhere from 50% to 75%. While IP is around 30% to 50%. I can't seem to find any rime or reason for this high ARP traffic. It comes and goes at random lasting anywhere from two minutes to hours.

We are currently a single NT4 domain with about 500 nodes running a mixed NT4 workstation & Windows 2000 Pro on a switched network, with both Netbeui and IP protocols active. We are also a part of Trust in an Active Directory.

    Requires Free Membership to View

I am not familiar with this phenomenon. It sounds unusual and it would need additional investigation. Here's what I would suggest as working hypotheses in order of priority:
  1. You have a worm of some sort that is using the ARP mechanisms to propagate. Variants of Code Red cause ARP flooding.

  2. Somehow your hosts are not properly caching ARP data and constantly expiring it, possibly generating per-packet requests. I can't see how but it may be some consequence of an overly secure Trust configuration on Active Directory.

I would also sniff the packets to determine if a few hosts are responsible or all of them.

This was first published in February 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: