On the off chance that someone else has seen this before and knows what causes it, does anyone know of any software that generates ARP _Requests_ with the Target Protocol Address (TPA) of 255.255.255.255 (all ones).�� Such that results in this sort of log message from picky switches:

<188> Jul 29 10:47:13 [SWITCH] ARP[ipMapForwarding]: ipmap_arp_api.c(1147) 1021154 %% Received ARP Request on interface Vl1 with bad target IP address 255.255.255.255. Sender IP is [REALIP], sender MAC is [REALMAC].

As far as I can tell they happen _approximately_ every 5 minutes, but definitely not to the second.�� I'm told the Sender IP is a relatively old Windows host, but the Windows admins don't know of anything installed which would do that.

Searching the Internet doesn't turn up much.�� I did find UNARP (https://tools.ietf.org/html/rfc1868), but that's supposed to be an unsolicited ARP _Reply_, and this is a Request; and besides this isn't the scenario UNARP was invented for anyway.�� The only other speculation I can find is maybe it's a gratuitous ARP that doesn't follow RFC5227 (https://tools.ietf.org/html/rfc5227; which says that Target Protocol Address should be set to the address you want to claim), but that also seems implausible (especially since the DHCP leases at this site are longer than 5/10 minutes).

Any thoughts as to what might be generating it welcomed.

Ewen

PS: This is not the ARP being _broadcast_ to the all address 255.255.255.255; that happens all the time on requests.�� This is asking "who-has 255.255.255.255"!
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog