1

All the clients in my wireless network send continuously arp requests to a host that doesn't exist (I've checked its absence with nmap -PN [IP]).

The clients use windows 7 and windows xp (here the requests are sent with less frequency).What does it mean?

I think that this behavior is the reason of my network congestion... but what can i be sure?! Is there a way to check which process send the arp request?

Adi
  • 43,808
  • 16
  • 135
  • 167
Bau Miao
  • 111
  • 2
  • Are you sure that doesn't exist ? in this case nmap haven't good result because may computer have firewall, ICMP is blocked ,all ports are closed and ... ! can u test it with arping,nbtscan or other arp based scanning tools ? – Sajjad Pourali Dec 23 '13 at 12:28
  • Is this searched IP address within your network or outside? Did you look at your router to check if this IP address was attributed within your network in the recent past? – dan Dec 24 '13 at 20:00
  • With arping i've no reply and the ip belong to my network. It seems that it's never used in the recent past... – Bau Miao Dec 26 '13 at 14:07
  • does the IP address show up in your DHCP server? – Mark S. Dec 28 '13 at 20:00
  • UPDATE: with a linux live distro the client doesn't launch arp request to unknown hosts... I've tried to clear the arp cache on a windows client (with "netsh interface ip delete arpcache") but the problem remain. The DHCP server doesn't show the unknown ip. – Bau Miao Dec 30 '13 at 08:29
  • Do you see any ARP responses? – Dog eat cat world Jul 27 '14 at 09:07

2 Answers2

1

There's no one (normal) process that would be causing ARP to happen - a process might ask for a connection to an IP address, but then it's the network stack's job to figure out how to get it to another machine, and that's when ARP happens.

Your best bet is to figure out where the machine is connected, switchport wise, from your switch. Either via the switch's interface or via SNMP via the IP net-to-media table. Then you can chase wire and find the beast.

Since it's just Windows, you might have a WINS server that got elected master, or something like that, but that's purely a stab in the dark.

Bill McGonigle
  • 509
  • 3
  • 8
0

You either have an epic DHCP problem, some sort of ARP Cache Poisoning/MiTM attack, or someone setting up a rogue access point. I don't know of any tools that will show what process is sending ARP requests, but maybe you can try something like dtrace to see the system calls.

InfoSec
  • 1