Network flooded by strange gratuitous ARP broadcasts

We have a client whose LAN is severely congested - using Ethereal to do a packet capture we discovered a block of workstations in the network are broadcasting out a huge number of gratuitous ARP requests.  What's strange is that the network is on a single subnet (192.168.10.0) while the ARP requests are for IP's outside of this subnet (eg 192.168.30.32, 192.168.25.44, 192.168.44.24).

I've looked up gratuitous ARP packets and it looks like they're a self-discovery protocol - which means the target address should be the same as source address.  The 10 or so workstations issuing these broadcasts are on the 192.168.10.0 subnet (they can be pinged and RDP'd using the 192.168.10.0 address) - so I can't explain why they would be sending out ARP packets with a source address of 192.168.30.32 or 192.168.25.44.

When I physically unplug one of these workstations from the network the particular ARP broadcasts from that MAC source address stop, so I don't think there's spoofing going on.

I checked IP address config using 'ipconfig /all' and through Windows network connection properties and only see the 192.168.10.xxx address and not anything else.  

At this point I'm thinking either it a virus or some misconfigured software. (these are 3D rendering stations - there's not a lot of software installed on them)

Any help greatly appreciated!

Thanks

Chris

smocohibaAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
smocohibaConnect With a Mentor Author Commented:
Hi - just wanted to post a follow up to this question.  The issue was resolved by another one of our administrators.  It turned out that the integrated Intel NIC on the motherboards of a group of 24 identical workstations were causing the mysterious ARP broadcasts.  It took a firmware update to each of the mainboards to stop the broadcasts.

Hope this helps anyone else who may have the same problem
0
 
giltjrCommented:
Any of these boxes running VMWare or Virtual PC?

IIRC, there is a virus that does this.  Do you have anti-virus software?
0
 
smocohibaAuthor Commented:
I don't believe these workstations have anti-virus software.  I'll have one of them run an online scan.  

They shouldn't be running any virtual machine software, but I'll check for that as well.

Thanks!
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
ctrostCommented:
Do those machines have Class C or Class B subnet masks?  (255.255.255.0 or 255.255.0.0)  
0
 
smocohibaAuthor Commented:
They're using class C masks. I ran an online virus scanner on a couple of the machines and they came back clean.
0
 
ctrostCommented:
Try to ping and nslookup 192.168.30.32 or 192.168.25.44 and see if they reply....better yet, see if they reply with hostnames
0
 
smocohibaAuthor Commented:
Ping gets no replies on any of these addresses, nor nslookup.  I never see any replies to these ARP broadcasts in the packet capture.

thanks!
0
 
giltjrCommented:
You would need to install some type of software on the PC's that monitor and log what processes send IP data out.

By chance are they running IIS or some other Websever (or any other IP sever based software)?  Could one of these be configured to listen on one of these bad IP addresses?
0
 
smocohibaAuthor Commented:
Thanks - any recommendation on monitoring software?

0
 
DavidLHCommented:
In ethereal what are the source IP addresses of the ARP packets?  Are they all coming from the same computer or from different computers?

If they are all coming from the same computer make sure to virus scan that computer.

Also is there any organization to the ARP requests, one time I saw a virus Arping for sequential addresses.
0
 
giltjrCommented:
Honestly I am not sure of any packages that will do this.  You know I think I found a idea for a new product.  All I need to do is learn how to program under Windows. :)
0
 
btassureConnect With a Mentor Commented:
There is one.

netstat -ano in windows xp will list the connections available, their states and the process id that is using them (which you can compare to task manager for the service/application name)

if it is running as part of an svchost then type tasklist /svc in a command prompt to show what tasks are running within each svchost and possibly disable extraneous software.
0
 
giltjrCommented:
The netstat -ano will not work.  

First this command shows open TCP and or UDP connection, which ARP does not have.

Second unless somebody has written a low level IP based application the IP stack issues ARP's, not an task.  The same is true with other functions like dns name resolution.  The IP stack handles this.

An ARP does not require an open UDP or TCP connection and so you can't tell.  Example:  try doing a netstat -ano while issuing a ping with the -t option.  You don't see ping in the list because it does not have a TCP or UDP connection active.

Some IP function will not show up in a netstat  command, like arp, ping, and even dns lookups because they don't invlove a TCP connection and they don't invlove listening for a UDP repsonse on a specific port.
0
 
btassureCommented:
Sorry, I misread your original post. I thought you were referring to TCP data rather than IP. My bad :o)
0
 
giltjrConnect With a Mentor Commented:
Actually thinking about it some more doing a netstat -ano may help.  

If whatever is doing this does have a TCP or UPD socket open, it should stand out like a sore thumb as it he should see something that has a localaddress equal to one of the offending IP address.  

It whatever is doing this is just sending out ARP's, then netstat will not help and I am not sure what might.

So go ahead and do the netstat -ano like btassure suggests and see if there is anything with a socket open with one of the offending IP addresses.
0
 
btassureCommented:
:oD
0
 
sachulinuxConnect With a Mentor Commented:
Try to replace lan card and make sure you disable on board lan card.
0
 
jrtallCommented:
Have same quandry, did you find an answer to this question?
0
 
smocohibaAuthor Commented:
Unfortunately no - client was unwilling to investigate the issue further with us.  They may have resolved on their own or with another vendor
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.