Hello,
This is a strange scenario on a school network with roughly 400 computers. What I'm looking for is opinions on what is happening. There is a tremendous amount of ARP traffic which is why I'm soliciting opinions on this.
I have a Linux box acting as DHCP server. Below are some statics that compare ARP table IP addresses, lease file entries by range that I have set in the dhcpd.conf. The network is 172.16.56.0 netmask 255.255.248.0 roughly 2000 addresses on this subnet.
Network range ARP Table entries DHCP.lease file entries
172.16.56.0 – 172.16.56.254 121 90
172.16.57.0 – 172.16.57.254 182 84
172.16.58.0 – 172.16.58.254 202 90
172.16.59.0 – 172.16.59.254 194 91
172.16.60.0 – 172.16.60.254 83 53
172.16.61.0 – 172.16.61.254 28 0 Not used in DHCP config
172.16.62.0 – 172.16.62.254 18 0 Not used in DHCP config
172.16.63.0 – 172.16.63.254 165 0 Not used in DHCP config
84% of arp table entries are incomplete
15% arp table entries have corresponding MAC addresses
Total number of lease file entries: 408
Total number of ARP IP address entries on eth2: 993
Number of addresses not accounted for by DHCP: 585
I have a Linux box acting as a router (default gate on this network) with 3 interfaces. arp -an gave me the ARP table entries of which there was a total of 1026, 993 where on interface eth2.
Typical output from arp -an:
172.16.59.202 (incomplete) eth2
172.16.59.131 (incomplete) eth2
172.16.59.124 (incomplete) eth2
172.16.59.17 (incomplete) eth2
172.16.58.52 (incomplete) eth2
172.16.63.163 (incomplete) eth2
172.16.63.135 (incomplete) eth2
172.16.63.120 (incomplete) eth2
172.16.63.92 (incomplete) eth2
172.16.57.200 (incomplete) eth2
172.16.63.49 (incomplete) eth2
172.16.63.21 (incomplete) eth2
172.16.60.22 (incomplete) eth2
172.16.59.238 ether 00:0F:1F
6:6A:78 C eth2
172.16.59.167 ether 00:0F:1F:87:85
1 C eth2
These statistics were taken nearthe end of the school day at this school. The clients are near entirely Windows XP.
The volume and range of ARP IP addresses doesn't match what I lease to client machines, not even close. I'm thinking that there is some spoofing of MAC addresses going on.
Thanks
Kent N