Tuesday, September 7, 2010

Why is there no ARP reply in the packet trace

> I'm having a situation concerning Arp where i am seeing no Arp
>reply's to many arp requests on my network when i evaluate with a
>protocol analyzer. I think the arp traffic may be at a level where it
>is disrupting traffic on the network and nodes are dropping off as a
>result. It is a microsoft 2000/xp network running active directory.
>The sniffs show alot of whois arp traffic and i see little or no arp
>reply's with the mac address. I'm wondering what this could be due
>too. It is a flat network with 175 nodes running a class b subnet.
>Wins and Dns are configured. The workstation nodes are mixed
>win2k/xp(majority being 2k), The servers are win2k. Is this high
>amount of arp traffic(between 60 to 90 percent at a server)normal and
>if not what could i do to facilitate the arp reply's. Thanks

How is your protocol analyzer connected to the network? If you're on a
switch, it would be logical that you don't see ARP reply's.

The ARP requests are in the fowm of a broadcast, so sent to every
port. However, the reply is sent as an unicast to the host which made
the ARP request.

Unless you configured a SPAN por, you won't see this traffic on a
switched network. This would also explain why you see such a high
percentage of ARP requests: the unicast traffic isn't captured by your
protocol analyzer.

With kind regards,


No comments:

Post a Comment