ARP _request_ with Target Protocol Address = 255.255.255.255
On the off chance that someone else has seen this before and knows what causes it, does anyone know of any software that generates ARP _Requests_ with the Target Protocol Address (TPA) of 255.255.255.255 (all ones). Such that results in this sort of log message from picky switches: <188> Jul 29 10:47:13 [SWITCH] ARP[ipMapForwarding]: ipmap_arp_api.c(1147) 1021154 %% Received ARP Request on interface Vl1 with bad target IP address 255.255.255.255. Sender IP is [REALIP], sender MAC is [REALMAC]. As far as I can tell they happen _approximately_ every 5 minutes, but definitely not to the second. I'm told the Sender IP is a relatively old Windows host, but the Windows admins don't know of anything installed which would do that. Searching the Internet doesn't turn up much. I did find UNARP (https://tools.ietf.org/html/rfc1868), but that's supposed to be an unsolicited ARP _Reply_, and this is a Request; and besides this isn't the scenario UNARP was invented for anyway. The only other speculation I can find is maybe it's a gratuitous ARP that doesn't follow RFC5227 (https://tools.ietf.org/html/rfc5227; which says that Target Protocol Address should be set to the address you want to claim), but that also seems implausible (especially since the DHCP leases at this site are longer than 5/10 minutes). Any thoughts as to what might be generating it welcomed. Ewen PS: This is not the ARP being _broadcast_ to the all address 255.255.255.255; that happens all the time on requests. This is asking "who-has 255.255.255.255"!
Hi Ewen,
What's the MAC OUI of this host; is it by chance TP-Link?
Back in the day at xLAN, I saw several TP-Link hosts do very odd things
with ARP requests; I can't remember if I've got a packet capture of them
doing ARP for 255.255.255.255, but I know I've got a packet capture of at
least 3 TP-Link MACs ARPing for 224.0.0.251 (Bonjour) and 224.0.0.252
(LLMNR).
I never figured out exactly why they did this, but my guess is that the
cards have some "intelligent hardware offload" function.
Thanks,
Jed.
On 29 July 2015 at 10:56, Ewen McNeill
On the off chance that someone else has seen this before and knows what causes it, does anyone know of any software that generates ARP _Requests_ with the Target Protocol Address (TPA) of 255.255.255.255 (all ones). Such that results in this sort of log message from picky switches:
<188> Jul 29 10:47:13 [SWITCH] ARP[ipMapForwarding]: ipmap_arp_api.c(1147) 1021154 %% Received ARP Request on interface Vl1 with bad target IP address 255.255.255.255. Sender IP is [REALIP], sender MAC is [REALMAC].
As far as I can tell they happen _approximately_ every 5 minutes, but definitely not to the second. I'm told the Sender IP is a relatively old Windows host, but the Windows admins don't know of anything installed which would do that.
Searching the Internet doesn't turn up much. I did find UNARP ( https://tools.ietf.org/html/rfc1868), but that's supposed to be an unsolicited ARP _Reply_, and this is a Request; and besides this isn't the scenario UNARP was invented for anyway. The only other speculation I can find is maybe it's a gratuitous ARP that doesn't follow RFC5227 ( https://tools.ietf.org/html/rfc5227; which says that Target Protocol Address should be set to the address you want to claim), but that also seems implausible (especially since the DHCP leases at this site are longer than 5/10 minutes).
Any thoughts as to what might be generating it welcomed.
Ewen
PS: This is not the ARP being _broadcast_ to the all address 255.255.255.255; that happens all the time on requests. This is asking "who-has 255.255.255.255"! _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi Jed, On 29/07/15 13:04, Jed Laundry wrote:
What's the MAC OUI of this host; is it by chance TP-Link?
The "Mac Find" database says it's Dell (http://www.coffer.com/mac_find/?string=a4%3Aba%3Adb), and at this site I'd expect it to be Dell. However "intelligent hardware offload" gone mad is definitely a good thing to consider, that I hadn't thought of before. Given it's an older Windows host, it's possible it's also got older drivers/NIC firmware too. I'll try suggesting maybe they experiment with disabling hardware offload features and see if the unexpected ARPs stop. Thanks, Ewen
On 29/07/15 10:56, Ewen McNeill wrote:
[Does anyone know of any software that generates ARP _Requests_ with the Target Protocol Address (TPA) of 255.255.255.255 (all ones). Such that results in this sort of log message from picky switches:
<188> Jul 29 10:47:13 [SWITCH] ARP[ipMapForwarding]: ipmap_arp_api.c(1147) 1021154 %% Received ARP Request on interface Vl1 with bad target IP address 255.255.255.255. Sender IP is [REALIP], sender MAC is [REALMAC].
For the record (eg, someone searching for this later) it turned out that disabling the ZESService (ZENworks Endpoint Security Service) caused these strange ARP messages to stop. It's still unknown why it was causing them, especially since that was running on multiple hosts at the site and only that one host was generating these ARP messages. But since the ZENWorks was due to be removed from that host eventually anyway, the Windows admins just disabled the service now. Jed's theory that there was a bug in the NIC hardware offload driver/firmware may well be related to the real cause of those packets. But we're considering the problem solved, without trying to find all the causative factors. Ewen
participants (2)
-
Ewen McNeill -
Jed Laundry