Hi Ewen,
What's the MAC OUI of this host; is it by chance TP-Link?
Back in the day at xLAN, I saw several TP-Link hosts do very odd things
with ARP requests; I can't remember if I've got a packet capture of them
doing ARP for 255.255.255.255, but I know I've got a packet capture of at
least 3 TP-Link MACs ARPing for 224.0.0.251 (Bonjour) and 224.0.0.252
(LLMNR).
I never figured out exactly why they did this, but my guess is that the
cards have some "intelligent hardware offload" function.
Thanks,
Jed.
On 29 July 2015 at 10:56, Ewen McNeill
On the off chance that someone else has seen this before and knows what causes it, does anyone know of any software that generates ARP _Requests_ with the Target Protocol Address (TPA) of 255.255.255.255 (all ones). Such that results in this sort of log message from picky switches:
<188> Jul 29 10:47:13 [SWITCH] ARP[ipMapForwarding]: ipmap_arp_api.c(1147) 1021154 %% Received ARP Request on interface Vl1 with bad target IP address 255.255.255.255. Sender IP is [REALIP], sender MAC is [REALMAC].
As far as I can tell they happen _approximately_ every 5 minutes, but definitely not to the second. I'm told the Sender IP is a relatively old Windows host, but the Windows admins don't know of anything installed which would do that.
Searching the Internet doesn't turn up much. I did find UNARP ( https://tools.ietf.org/html/rfc1868), but that's supposed to be an unsolicited ARP _Reply_, and this is a Request; and besides this isn't the scenario UNARP was invented for anyway. The only other speculation I can find is maybe it's a gratuitous ARP that doesn't follow RFC5227 ( https://tools.ietf.org/html/rfc5227; which says that Target Protocol Address should be set to the address you want to claim), but that also seems implausible (especially since the DHCP leases at this site are longer than 5/10 minutes).
Any thoughts as to what might be generating it welcomed.
Ewen
PS: This is not the ARP being _broadcast_ to the all address 255.255.255.255; that happens all the time on requests. This is asking "who-has 255.255.255.255"! _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog