What is the best way to determine the cause of an ARP saturated network?

Loki Jorgenson

Using my Fluke network monitor I will notice that ARP is running anywhere from 50% to 75%. While IP is around 30% to 50%. I can't seem to find any rime or reason for this high ARP traffic. It comes and goes at random lasting anywhere from two minutes to hours.

We are currently a single NT4 domain with about 500 nodes running a mixed NT4 workstation & Windows 2000 Pro on a switched network, with both Netbeui and IP protocols active. We are also a part of Trust in an Active Directory.

I am not familiar with this phenomenon. It sounds unusual and it would need additional investigation. Here's what I would suggest as working hypotheses in order of priority:

You have a worm of some sort that is using the ARP mechanisms to propagate. Variants of Code Red cause ARP flooding.
Somehow your hosts are not properly caching ARP data and constantly expiring it, possibly generating per-packet requests. I can't see how but it may be some consequence of an overly secure Trust configuration on Active Directory.

I would also sniff the packets to determine if a few hosts are responsible or all of them.

This was last published in February 2004

Dig Deeper on Network management and monitoring

OSI: Securing the stack, Layer 2 -- Understanding the role of ARP Part two of our series on securing the OSI stack looks at the perils of Address Resolution Protocol.

OSI: Securing the stack, Layer 2 -- Understanding the role of ARP Security expert Michael Gregg continues his layer-by-layer discussion of OSI model network security with this tip on the vulnerabilities present in Layer 2, the Data Link Layer, and specifically addresses the Address Resolution Protocol.

What must I do to upgrade an NT4 domain to Windows Server 2003? Expert Laura E. Hunter breaks down how to to upgrade to Windows Server 2003 from an NT4 domain.

What are the benefits of Active Directory over Windows NT 4.0 directory services? Expert Laura E. Hunter provides a helpful resource for those with questions about the differences between Active Directory and the old NT4 directory services.

Shipbuilder VT upgrades to solve NT4 support headaches Shipbuilder VT Group is updating its server infrastructure to use Microsoft's Active Directory, as it replaces its Windows NT 4.0 servers.

Taking Samba-3 beyond file and print serving, part two This tip reviews key factors in the interoperability between the host platform that Samba is running on, which is typically Linux, and the Microsoft Windows environment.

Related Q&A from Loki Jorgenson

One of my computers cannot communicate with the rest of the network and I can't figure out why.

Is there any easy way to measure EMF/EMI interactions?

Why doesn't my Internet connection work?

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Networking experts

View all Networking questions and answers

SearchUnifiedCommunications

Avaya revenue slump expected to continue in 2020

Avaya revenue fell short of projections in the fourth fiscal quarter, capping a year of disappointing returns. The company told ...

7 steps to improve unified communications security

Unified communications security should not be overlooked. Follow these seven best practices to ensure all the elements of your UC...

Microsoft Teams reaches 20 million users, threatening Slack

Microsoft Teams has pulled well ahead of Slack with 20 million daily active users. Adoption of Teams will likely continue among ...

SearchMobileComputing

Deploy kiosk devices with the Managed Home Screen Android app

The Managed Home Screen app allows Microsoft Intune admins to deploy multi-app kiosk devices. IT should learn the two best ...

New Outlook features appeal to users on the go

At Ignite, Microsoft announced some improvements to its Office app and Outlook for iOS and Android. Learn about how it benefits ...

Smartphone market trends elicit longer refresh cycles

Organization must follow the smartphone market trends to inform their purchase decisions. Mobile admins should tailor purchase ...

SearchDataCenter

Understand top public cloud repatriation use cases

Cloud technology can pose billing, management and compliance issues. Here are five reasons why repatriating cloud workloads back ...

Microsoft quantum development turns toward hardware

Microsoft revealed plans to jump into the quantum hardware business with a chip capable of running quantum software.

Top 5 options for Linux certifications

Are you ready to expand your Linux knowledge? Here's a look at the latest courses, training content and exams available from ...

SearchITChannel

IBM's new security Cloud Pak unifies federated data

IBM Security is shifting its strategy with a new Cloud Pak designed specifically to unify data from multiple security tools and ...

Cohesity, Pivot3 update channel partner programs, MDF funds

Cohesity and Pivot3 are revamping established channel partner programs, emphasizing ease-of-doing-business, expanded financial ...

Businesses move key applications off public cloud to save costs

A new study has shown that while many enterprises are able to keep public cloud costs under control, spending can quickly ...

What is the best way to determine the cause of an ARP saturated network?

Dig Deeper on Network management and monitoring

Related Q&A from Loki Jorgenson

One of my computers cannot communicate with the rest of the network and I can't figure out why.

Is there any easy way to measure EMF/EMI interactions?

Why doesn't my Internet connection work?

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchUnifiedCommunications

Avaya revenue slump expected to continue in 2020

7 steps to improve unified communications security

Microsoft Teams reaches 20 million users, threatening Slack

SearchMobileComputing

Deploy kiosk devices with the Managed Home Screen Android app

New Outlook features appeal to users on the go

Smartphone market trends elicit longer refresh cycles

SearchDataCenter

Understand top public cloud repatriation use cases

Microsoft quantum development turns toward hardware

Top 5 options for Linux certifications

SearchITChannel

IBM's new security Cloud Pak unifies federated data

Cohesity, Pivot3 update channel partner programs, MDF funds

Businesses move key applications off public cloud to save costs

Dig Deeper on Network management and monitoring

Related Q&A from Loki Jorgenson

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.