Problem solve Get help with specific problems with your technologies, process and projects.

What is the best way to determine the cause of an ARP saturated network?

What is the best way to determine the cause of an ARP saturated network?

Using my Fluke network monitor I will notice that ARP is running anywhere from 50% to 75%. While IP is around 30% to 50%. I can't seem to find any rime or reason for this high ARP traffic. It comes and goes at random lasting anywhere from two minutes to hours.

We are currently a single NT4 domain with about 500 nodes running a mixed NT4 workstation & Windows 2000 Pro on a switched network, with both Netbeui and IP protocols active. We are also a part of Trust in an Active Directory.

I am not familiar with this phenomenon. It sounds unusual and it would need additional investigation. Here's what I would suggest as working hypotheses in order of priority:
  1. You have a worm of some sort that is using the ARP mechanisms to propagate. Variants of Code Red cause ARP flooding.

  2. Somehow your hosts are not properly caching ARP data and constantly expiring it, possibly generating per-packet requests. I can't see how but it may be some consequence of an overly secure Trust configuration on Active Directory.

I would also sniff the packets to determine if a few hosts are responsible or all of them.

This was last published in February 2004

Dig Deeper on Network management and monitoring

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.