Why am I not seeing ARP requests from my own machine in wireshark?

1

I am using Windows 7. I open up Wireshark and start a live capture with the filter: ip.src == THIS.IS.MY.IP

I then go to a command line and do an arp -d * and ping a bunch of stuff.

I see my ICMP traffic and other traffic in Wireshark, but no ARP traffic. Why is this?

I should mention with out the filter I do see ARP traffic coming from other machines on the network, just not my own.

user1028270

Posted 2015-01-09T19:13:44.060

Reputation: 763

Answers

4

ARP traffic uses MAC addresses (Layer 2), not IP addresses (Layer 3), so your filter should be filtering out all ARP traffic. Change your filter from ip.src == MY_IP to arp or arp.src.hw_mac == MY_MAC and you should see the ARP packets.

heavyd

Posted 2015-01-09T19:13:44.060

Reputation: 54 755

This works, looks like I was "lying" about not seeing any arp traffic from my machine with the filter off- I was sorting the traffic by destination and looking for my IP not my MAC. – user1028270 – 2015-01-09T20:12:26.970

1To clarify, even though ARP requests do contain IP addresses, they're in different fields – not in the (nonexistent) IP header, but inside the ARP request itself. So you'd need arp.src.something to filter by IP. – user1686 – 2015-01-10T07:25:26.443

Asked: 2015-01-09T19:13:44.060

Viewed: 4 022 times

Active: 2015-01-09T19:56:13.263