Jump to content


Photo
- - - - -

Debugging my network: why is my PC sending ARP requests?


  • Please log in to reply
9 replies to this topic

#1 blackriver

blackriver

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 43 posts

Posted 13 May 2009 - 08:26 AM

I started debugging my network after I noticed my internet connection completely stalled every hour or so. A couple of seconds later, it would regain connectivity, but lots of connections would've been terminated by then. I decided to capture all my packets using Wireshark. Now I see an ARP request from my router every once a while, and this works fine. My PC responds to the requests and replies back to the router, and all's well.

But suddenly, after about 10 rounds of ARP requests from my router, my PC suddenly sends out an ARP request. They're the same as my router's, except it says to "tell 192.168.1.60", which is the IP address of my PC. Immediately after this, I see no incoming packets anymore, of any protocol.

Does anybody know why my PC would suddenly try to take over ARP stuff? What causes this, and how can I turn this off?

I'm running Windows XP, am on a wired network, and I'm currently the only machine on the network. My router is a Thompson (Alcatel) Speedtouch.

#2 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 13 May 2009 - 09:22 AM

Are you using the router for DHCP or do you have a static IP address setup? ARP sends packets when it wants to find the MAC of a device it knows the IP for, but not the MAC of. The router does ARP to determine the devices on the network, and adds it to its routing table, MAC to corresponding IP. RARP is when say, you know your MAC address, but don't know your own IP address, its bascially a DHCP like process in order to establish your IP address on the network. If your lease drops, your machine may send a rarp to find the router and get a new IP address. Easiest thing to do to stop this, setup a static address on the pc and see if you keep having issues like this. If you do, then some other factor may be of issue, like faulty cables, router port or NIC.

Is this a router, or DSL modem though?
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#3 blackriver

blackriver

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 43 posts

Posted 13 May 2009 - 09:47 AM

Thanks for the quick reply, Digip. My router is a router and modem in one, and does indeed do the DHCP for my network. I don't have access to my capture file right now, but it looks like my router refreshes the ARP table every 15 minutes or so. I have not changed any settings in my router for this, so I'm assuming this is a default rate.

I will check at home if my PC is doing a RARP, but I'm pretty sure the protocol reported by Wireshark is "ARP", not "RARP". And it does an ARP request for other devices that sometimes connect to my network as well (my Xbox and laptop), so I get like four ARP requests in total. These four devices are also queried in an ARP request from my router, so it really looks like my PC is taking over the role of my router.

I will try a static address tonight. Thanks for the help, I got some clues to work with now!

#4 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 13 May 2009 - 10:11 AM

The 15 minute arp by the router is normal, and not something you should have to worry about. DHCP lease time is something different. You can just go to the command prompt in windows and type "ipconfig /all" and see the lenght of your lease. By default, windows will renew it long before it expires anyway though, I believe in half the time of the total lease allocation. So if a lease is for one hour, every half hour it renews its lease(I think). Some of these DSL router modem combos have default passwords and can be telnet into remotely, so you might want to look at that as well if someone is messing with your modem/router. Might just be an issue with the ISP's network itself, being an all in one modem/router setup.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#5 blackriver

blackriver

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 43 posts

Posted 13 May 2009 - 03:18 PM

Yeah, I realise the difference between DHCP and ARP, I just hoped a static IP address would solve things. But alas sad.gif

Here is a screenshot of a typical situation:



Everything goes well, until my PC (as source "AsusteKC_53:3a:21" and IP 192.168.1.64) starts asking who 192.168.1.61 has. Network response grinds to a halt, and the ICMP packets keep returning "Destination unreachable" untill my router (ThomsonT_1b:bb:58 on IP 192.168.1.254) starts broadcasting ARP requests again. Network response goed back to normal, until all of this repeats 30 to 45 minutes later.

Some more details:

1. I was playing Counter-Strike 1.6 through Steam, no other stuff going on the background (killed my email, Dropbox, torrents, etc.). I also ran Wireshark, obviously wink.gif

2. The command "arp -a" under Windows only shows one entry, which is for for the router.

3. The IP address 192.168.1.61 that my PC sends an ARP broadcast for, has never been used by a device on my network. IP addresses on my network start from 192.168.1.64 up.

#6 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 13 May 2009 - 03:32 PM

From the wireshark output, your router is doing arp for a whole range of IP addresses, sweeping the 192.168.1.x-xxx range.

You say you are the only machine on the network, but why is the router hitting all those other IP addresses on the local lan segment? It shouldn't be doing each individual one unless there are people on the lan pinging addresses it doesn't know and then arp's for the addresses. Something fishy with your network. Like a sif someone is doing a ping sweep or arp for every available address on the router. You might want to login to the router and change the password and reset somethings, make sure no one is on the inside of your network via malware or backdoor on your pc as well. In your router it should have a DHCP table, or area that shows all locally connected devices. If more than one IP is assigned on the router(other than your pc) then you've got bigger problems than arp going on.

When a router does arp, its a broadcast packet, meaning it goes to everyone on the lan. If these other addresses done't exist, then only the machines on the network that are connected should be the ones that show up in wireshark. The fact that it has a whole range of IP's makes me think other things are going on than simple router arp. If you look, your pc is doing arp for a range of IP's as well. Like as if some program on your pc is looking for other devices on the local lan segment.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#7 blackriver

blackriver

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 43 posts

Posted 13 May 2009 - 04:46 PM

I don't think the router is doing ARP for a whole range, it's always just this handful of local addresses ending on 69, 67, 109, 66, 68, 64 and 65 (but not 61 that my PC asks for!). These all belonged to devices that connected to my network in the past few months: my Xbox, Wii, another PC, my laptop, etc. Some of these devices haven't been online for at least two months, but apparently my router still keeps asking if they're there.

By the way, I filtered the captured packages to only show ARP and ICMP packets, to leave out the UDP traffic from Counter-Strike (see the package numbers in the first column). So inbetween the ARP-broadcasts there's plenty of "normal" traffic, but the screenshot doesn't show these. That's maybe why you think it looks like a sweep?

I also checked in the router to see if there are other devices on the network, but that's not the case. I'm pretty sure I'm malware-free, too.

I quickly tried capturing packets while downloading a large binary over HTTP, and I didn't get any errors. The download only took about 15 minutes, so that is not the full timeframe the error normally occurs in. I will capture other (non-Counter-strike smile.gif ) traffic tomorrow, to see if it occurs there too.

#8 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 13 May 2009 - 10:27 PM

You initially said there was only one device connected, not the xbox, etc, so I was wondering why it was checking all those other addresses, like as if something was trying to determine other devices on the network with a ping for each IP, then the router would arp to try to see who has those IP's and reply back, same thing for the pc. Still, something does not seem right that you get an arp for the one address, then all the network stops working(if I am following you correctly). Is there anything running on your pc that might try to look for the xbox? Do you share anything between the pc and the xbox, or just use the router for xbox live or whatever?
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#9 blackriver

blackriver

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 43 posts

Posted 14 May 2009 - 02:26 AM

Yeah, at the time of testing none of these devices (Xbox, Wii, etc.) were connected. So when the problems occured, nothing but my PC and my router made up my home network. My router does ARP requests for the devices it has seen on the network in the past few months, to which only my PC responds.

The problem occurs when all of a sudden my PC does an ARP request for this address 192.168.1.61, which is unused on my network. I guess that ARP request confuses my router and/or PC, and network activity stops (at least incoming packets).

Is there a way to see which program on my PC initiates this ARP request?

#10 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 14 May 2009 - 02:31 AM

QUOTE (blackriver @ Thu, 14 May 2009 03:26:43 +0000) <{POST_SNAPBACK}>
Is there a way to see which program on my PC initiates this ARP request?
Im gonna say its probably going to show up as owned by svchost or even manually when done from cmd.exe

You can try netstat -aon or netstat -ab and it shows ownign processes to open and listening connections, but not sure if it could capture the arp and show the owning process id. Once you identify the process id, then run tasklist in the cli(or just open taskmanager and look for the corresponding PID). I don't beleive it will show up in there though.

One thing I just figured out though, is rarp shows up as arp in wireshark. You can filter by rarp specifically with:
CODE
arp.proto.type == 0x8035

Otherwise, using arp shows both arp and rarp, but only lists it my name of arp. There is no keyword rarp to filter by, since it would just show up under arp. Probably wont ever see rarp in the home environment, since its depricated to dhcp.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users