Windows XP Home issuing about 20 ARP requests a second

Windows XP Home issuing about 20 ARP requests a second

I have been asked to remotely fix a family member's computer that is running "slow". I've had them run any number of S&D and AVG scans, even in safe mode, but they find nothing of interest. In using Remote Assistance to poke around, I installed Wireshark and discovered that the box is issuing up to 20 ARP requests per second, mostly for its local subnet (directly connected to WebSTAR 2000 USB cable modem) as seen in the graphic below.

Asked by: Guest | Views: 228

Total answers/comments: 2

Comments display order:

Guest [Entry]

"Not to be a party pooper, but the size of the subnet is irrelevant to the number of ARP broadcasts per second. Just because a subnet is large enough for x number of hosts doesn't mean that a host will ARP for x number of ip addresses in that subnet. A host sends an ARP packet when it needs to send a packet to another host. The only time a host will ARP for x number of ip addresses in it's subnet (or a large number of ip addresses in it's subnet) is if it's scanning the ip address range for it's subnet (using an IP scanning program), it's infected with malware, or has a faulty NIC or NIC driver. At no other time does a host normally send a large number of ARP packets like what you're seeing. Additionally a host will not send an ARP packet for an ip address that's not on it's local subnet as it knows that the ip address is not local and that it needs to send it to it's default gateway, and therefore will not send an ARP packet for that ip address.

You have 5 hosts sending ARP packets on the network:

10.212.0.1 - This seems normal. This is the default gateway and there's only one ARP packet in your screenshot. The default gateway will send ARP packets in to the network when it needs to pass traffic to an internal host and that hosts' MAC address is not in it's ARP cache (like every other network device does).

24.170.135.1 - I don't understand this one. This is a non-local ip address. Where is it coming from? Do you have multiple networks bridged together? Do any of the computers have multiple NIC's connected to multiple networks or multiple connections, such as a VPN connection, etc.

24.233.137.1 - Again, this is a non-local ip adress.

70.119.248.1 - This is probably normal, although the ip addresses it's ARP'ing for seem a little out of place. They're in the same subnet but far separated from what I would consider a normal ip addressing scheme.

70.119.176.1 - This is the one that worries me as it's the one sending the bulk of the ARP packets. I suspect that this one is either performing a subnet scan for all ip adresses in the subnet, it's infected with malware, or it has a bad NIC or NIC driver.

ARP floods (which is what I believe you're dealing with) are not a normal condition in a network. ARP broadcasts exceeding about 3 -5 % of all network traffic is a very good indication that something is wrong.

EDIT

After re-reading your question with your recent edits, I have a different opinion of what's going on: if 70.119.176.1 is the default gateway for the network, and it's the one sending the bulk of the ARP requests for addresses in the subnet, then I'm thinking that someone external to you is performing an ip address\port scan against your network and your firewall is not blocking it. For every ip address being probed, your default gateway is sending an ARP request to try and find a host on the ip address being probed. Does your firewall, router, or modem have a log that you can look at?

I still don't understand where the 24.x.x.x addresses are coming from."

Guest [Entry]

20 ARP Per second is certainly in the range of normal background noise for the /20 subnet. I am suprised it is not higher. In general ARP requests are not by themself a sign of a worm trying to spread. You know just enough to be dangerouse but not enought yet to know how to look at network traffic. Keep at it and keep asking questions you will gain the insight to make real use of your tool kit.