Q
Problem solve Get help with specific problems with your technologies, process and projects.

What is the best way to determine the cause of an ARP saturated network?

What is the best way to determine the cause of an ARP saturated network?

Using my Fluke network monitor I will notice that ARP is running anywhere from 50% to 75%. While IP is around 30% to 50%. I can't seem to find any rime or reason for this high ARP traffic. It comes and goes at random lasting anywhere from two minutes to hours.

We are currently a single NT4 domain with about 500 nodes running a mixed NT4 workstation & Windows 2000 Pro on a switched network, with both Netbeui and IP protocols active. We are also a part of Trust in an Active Directory.

I am not familiar with this phenomenon. It sounds unusual and it would need additional investigation. Here's what I would suggest as working hypotheses in order of priority:
  1. You have a worm of some sort that is using the ARP mechanisms to propagate. Variants of Code Red cause ARP flooding.

  2. Somehow your hosts are not properly caching ARP data and constantly expiring it, possibly generating per-packet requests. I can't see how but it may be some consequence of an overly secure Trust configuration on Active Directory.

I would also sniff the packets to determine if a few hosts are responsible or all of them.

This was last published in February 2004

Dig Deeper on Network management and monitoring

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Meet all of our Networking experts

View all Networking questions and answers

Start the conversation

Send me notifications when other members comment.

Register

Please create a username to comment.

-ADS BY GOOGLE

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close