0

Our Win10 hosts are located in IP network 172.16.0.0/21. The (remote) WINS server is located in IP network 192.168.1.0/24.

Running Wireshark on one of the hosts in 172.16.x.x I can see the entire network constantly ARPing for 192.168.1.1 (the WINS server).

That makes no sense to me. You don't ARP for an IP that is not in your local subnet. Instead you'd use the default gateway to get there.

What could be the issue here? (I'm not a specialist of these Windows protocols.)

Marki
  • 2,795
  • 3
  • 27
  • 45
  • The only time I've ever seen this behavior was due to malware. – joeqwerty Nov 22 '17 at 12:22
  • Looks like in this case it's "ZESService.exe" (Microfocus Zenworks, our system mgmt software). I'll keep you posted. – Marki Nov 23 '17 at 12:29
  • Looks like Location Awareness of said software is in play.... if so it is poorly implemented .... continuing investigations – Marki Nov 23 '17 at 15:43
  • I'd agree. A host should never ARP for any ip address that isn't local. If the software is causing this then it is badly implemented. The developers probably took the **"We're not sure to how solve this properly so we'll just hit it with a hammer."** approach. – joeqwerty Nov 23 '17 at 15:45

0 Answers0