Network traffic from ARP

klnasveschuk · 04-27-2005, 05:13 AM

Hello,
This is a strange scenario on a school network with roughly 400 computers. What I'm looking for is opinions on what is happening. There is a tremendous amount of ARP traffic which is why I'm soliciting opinions on this.

I have a Linux box acting as DHCP server. Below are some statics that compare ARP table IP addresses, lease file entries by range that I have set in the dhcpd.conf. The network is 172.16.56.0 netmask 255.255.248.0 roughly 2000 addresses on this subnet.

Network range ARP Table entries DHCP.lease file entries
172.16.56.0 – 172.16.56.254 121 90
172.16.57.0 – 172.16.57.254 182 84
172.16.58.0 – 172.16.58.254 202 90
172.16.59.0 – 172.16.59.254 194 91
172.16.60.0 – 172.16.60.254 83 53
172.16.61.0 – 172.16.61.254 28 0 Not used in DHCP config
172.16.62.0 – 172.16.62.254 18 0 Not used in DHCP config
172.16.63.0 – 172.16.63.254 165 0 Not used in DHCP config

84% of arp table entries are incomplete
15% arp table entries have corresponding MAC addresses

Total number of lease file entries: 408
Total number of ARP IP address entries on eth2: 993

Number of addresses not accounted for by DHCP: 585

I have a Linux box acting as a router (default gate on this network) with 3 interfaces. arp -an gave me the ARP table entries of which there was a total of 1026, 993 where on interface eth2.

Typical output from arp -an:
172.16.59.202 (incomplete) eth2
172.16.59.131 (incomplete) eth2
172.16.59.124 (incomplete) eth2
172.16.59.17 (incomplete) eth2
172.16.58.52 (incomplete) eth2
172.16.63.163 (incomplete) eth2
172.16.63.135 (incomplete) eth2
172.16.63.120 (incomplete) eth2
172.16.63.92 (incomplete) eth2
172.16.57.200 (incomplete) eth2
172.16.63.49 (incomplete) eth2
172.16.63.21 (incomplete) eth2
172.16.60.22 (incomplete) eth2
172.16.59.238 ether 00:0F:1F

6:6A:78 C eth2
172.16.59.167 ether 00:0F:1F:87:85

1 C eth2

These statistics were taken nearthe end of the school day at this school. The clients are near entirely Windows XP.

The volume and range of ARP IP addresses doesn't match what I lease to client machines, not even close. I'm thinking that there is some spoofing of MAC addresses going on.

Thanks

Kent N

Matir · 04-28-2005, 02:15 PM

While it is possible to just build up arp traffic, you may be right about the ARP spoofing. You might want to get a program called arpwatch: it can help you look for suspicious entries in your arp table throughout the day, and narrow down the source of the spoofing.

cowanrl · 04-28-2005, 03:22 PM

From my experience, an incomplete entry in the arp table occurs when the computer transmits an arp request for an IP address and doesn't get a response to it's arp request.

With a network address of 172.16.56.0 netmask 255.255.248.0, the range of valid IP addresses on the subnet should be 172.16.56.0 to 172.16.63.255. It looks to me like something on your network is trying to ping the entire subnet range to detect active hosts. Since they are showing up in the arp cache in your router, it either has to be taking place on the router itself or on a computer that is attached to an interface other than eth2. It doesn't have to be a ping but that is the most common means of trying to detect active hosts on a network.

Those incomplete entries should dissappear after a while as the entries expire in the cache. If they stay there permanently, then you have something running on the router creating persistent arp entries or the software that is pinging your network is running constantly.

If it were me, I'd fire up a packet sniffer, such as Ethereal, on the router and see what type of traffic is running on your network.