Re: W2K3 Excessive ARP Traffic
From: Phillip Windell (_at_.)
Date: 03/25/04
- Next message: Markus: "Printer Notification"
- Previous message: Dave: "Re: windows 2000 logon script"
- In reply to: Scott Barnes: "W2K3 Excessive ARP Traffic"
- Next in thread: Scott Barnes: "Re: W2K3 Excessive ARP Traffic"
- Reply: Scott Barnes: "Re: W2K3 Excessive ARP Traffic"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 25 Mar 2004 08:17:00 -0600
ARP request don't simply run constantly. Even though they are broadcast,
they are infact looking for a specific host, therefore they only happen when
the server needs to contact another specific machine. So normally a lot of
ARP requests are simply a "by-product" of a lot of traffic to a lot of
different hosts.
Now if Exchange is on that box and you have a lot of spam,...especially if
this box is relaying spam and you don't know it, there would be an ARP
request going out for every remote mail server that it tries to send to.
These requests would always be responded to by the router or firewall with
it's own MAC address since the remote mail server wouldn't be part of your
own system.
Now the one confusing thing to me is that in your example the sender and
target IP# are the same as if it is trying to constantly resolve it's own
IP# to its own MAC address over and over. I don't know if that is normal or
what,.....maybe it is the "what" part :-). Would this just be a bad choice
of a sample of is the whole thing look like that?
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com "Scott Barnes" <wcrpa@yahoo.com> wrote in message news:MPG.1acc233e7f2370dd989680@news.microsoft.com... > My new W2K3 Enterprise Edition server seems to broadcast gratuitous ARP > packets every two seconds. In Ethereal, these look like: > > Frame 2 (60 bytes on wire, 60 bytes captured) > Arrival Time: Mar 24, 2004 22:19:07.824726000 > Time delta from previous packet: 1.998423000 seconds > Time since reference or first frame: 1.998423000 seconds > Frame Number: 2 > Packet Length: 60 bytes > Capture Length: 60 bytes > Ethernet II, Src: 00:03:47:30:2c:ec, Dst: ff:ff:ff:ff:ff:ff > Destination: ff:ff:ff:ff:ff:ff (Broadcast) > Source: 00:03:47:30:2c:ec (192.168.0.100) > Type: ARP (0x0806) > Trailer: 00000000000000000000000000000000... > Address Resolution Protocol (request) > Hardware type: Ethernet (0x0001) > Protocol type: IP (0x0800) > Hardware size: 6 > Protocol size: 4 > Opcode: request (0x0001) > Sender MAC address: 00:03:47:30:2c:ec (192.168.0.100) > Sender IP address: w2k3svr3.eti.local (192.168.0.100) > Target MAC address: ff:ff:ff:ff:ff:ff (Broadcast) > Target IP address: w2k3svr3.eti.local (192.168.0.100) > > > This server is a Domain Controller and also runs Exchange 2003. The > other Domain Controller is W2K, and has never broadcast ARP packets in > this manner. Can I do anything to stop this needless broadcast traffic? > > Thanks, > Scott
- Next message: Markus: "Printer Notification"
- Previous message: Dave: "Re: windows 2000 logon script"
- In reply to: Scott Barnes: "W2K3 Excessive ARP Traffic"
- Next in thread: Scott Barnes: "Re: W2K3 Excessive ARP Traffic"
- Reply: Scott Barnes: "Re: W2K3 Excessive ARP Traffic"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
