LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-10-2012, 07:16 PM   #1
m4rtin
Member
 
Registered: Sep 2007
Posts: 261

Rep: Reputation: 16
Question ARP replies appear with delay in tcpdump/Wireshark output


If I send an ICMP "echo request" from 10.10.10.2 to 10.10.10.1, then according to tcpdump and Wireshark, 10.10.10.1 sends ICMP "echo reply" before ARP reply from 10.10.10.2 is received:

Code:
02:36:14.689050 00:1a:6b:6c:0c:cc > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.10.10.1 tell 10.10.10.2, length 46
02:36:14.689079 00:1d:09:f0:92:ab > 00:1a:6b:6c:0c:cc, ethertype ARP (0x0806), length 42: Reply 10.10.10.1 is-at 00:1d:09:f0:92:ab, length 28
02:36:14.689320 00:1a:6b:6c:0c:cc > 00:1d:09:f0:92:ab, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.10.10.1: ICMP echo request, id 8301, seq 1, length 64
02:36:14.689344 00:1d:09:f0:92:ab > 00:1a:6b:6c:0c:cc, ethertype IPv4 (0x0800), length 98: 10.10.10.1 > 10.10.10.2: ICMP echo reply, id 8301, seq 1, length 64
02:36:19.688639 00:1d:09:f0:92:ab > 00:1a:6b:6c:0c:cc, ethertype ARP (0x0806), length 42: Request who-has 10.10.10.2 tell 10.10.10.1, length 28
02:36:19.689815 00:1a:6b:6c:0c:cc > 00:1d:09:f0:92:ab, ethertype ARP (0x0806), length 60: Reply 10.10.10.2 is-at 00:1a:6b:6c:0c:cc, length 46
Wireshark output can be seen here.

Of course ARP traffic should appear before the ICMP "echo reply". Why tcpdump and Wireshark show ARP traffic with a delay? I use tcpdump version 4.1.1 and Wireshark 1.2.11. Both use libpcap 1.1.1. Any ideas what might cause such behavior?

Last edited by m4rtin; 11-10-2012 at 07:27 PM.
 
Old 11-12-2012, 04:01 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
I can't see why there are arps exactly 5 seconds later, it seems fair to say it must be related somehow, but it can reply because it would just use the mac on the incoming packet.
 
Old 11-12-2012, 04:08 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970Reputation: 1970
Ahh, it looks like it's the delay_first_probe_time setting.

Code:
/proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time
Delay for the first time probe if the neighbor is reachable. (see gc_stale_time)

/proc/sys/net/ipv4/neigh/DEV/gc_stale_time
Determines how often to check for stale ARP entries. After an ARP entry is stale it will be resolved
again (which is useful when an IP address migrates to another machine). When ucast_solicit is greater
than 0 it first tries to send an ARP packet directly to the known host When that fails and
mcast_solicit is greater than 0, an ARP request is broadcast.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -5. The time now is 11:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration