Using my Fluke network monitor I will notice that ARP is running anywhere from 50% to 75%. While IP is around 30% to 50%. I can't seem to find any rime or reason for this high ARP traffic. It comes and goes at random lasting anywhere from two minutes to hours.
We are currently a single NT4 domain with about 500 nodes running a mixed NT4 workstation & Windows 2000 Pro on a switched network, with both Netbeui and IP protocols active. We are also a part of Trust in an Active Directory.
- You have a worm of some sort that is using the ARP mechanisms to propagate. Variants of Code Red cause ARP flooding.
- Somehow your hosts are not properly caching ARP data and constantly expiring it, possibly generating per-packet requests. I can't see how but it may be some consequence of an overly secure Trust configuration on Active Directory.
I would also sniff the packets to determine if a few hosts are responsible or all of them.
Dig Deeper on Network Monitoring
Related Q&A from Retired expert - Loki Jorgenson, Ph. D.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.