Wireshark-users: Re: [Wireshark-users] Tons of ARP packets...?
From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Thu, 12 Jul 2007 22:50:54 -0500
For a time I had a user that passed me their iptables logs regarding this
traffic...once I saw what it was, I had to assure him that this was normal.

Frank

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
Randy.Grein@xxxxxxxxxxxxxx
Sent: Wednesday, July 11, 2007 10:37 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Tons of ARP packets...?

Guy,
As you suspected Comcast Cable is a shared medium. ARP traffic is high as
there are multiple class C subnets on the network; it was an interesting
little tidbit I discovered when I migrated to it. It's surprising the
first time you see it, but it does work fairly well.

Randy Grein
Network Engineer



Guy Harris <guy@xxxxxxxxxxxx>
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx
07/11/2007 01:19 AM
Please respond to
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>


To
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
cc
weconsultants@xxxxxxxxx
Subject
Re: [Wireshark-users] Tons of ARP packets...?






Richard Mundell wrote:

> ARP traffic appears to be what is essentially administrative traffic
from
> other DSL customers

Not likely, given that he's not using DSL, he's using a cable modem; as
he said:

> I have a Comcast Internet Cable connection.

DSL connections are point-to-point, so you shouldn't see traffic to or
from other customers (unless you're communicating directly with one of
those customers).  I have the impression that at least some cable modem
connections are more like Ethernets, in that you're on a common network
with some other customers, and can see their traffic.

I don't know whether that's the case here, however; the ARP requests
*are* being sent from what appears to be a wide variety of IP addresses,
so they could be from other clients on the net.

> (on the internet side of your connection) so your ISP's
> router can figure out IP address to Ethernet address mappings (might
also be
> DHCP traffic... Not sure if that shows up in Wireshark as ARP traffic...

Given that IP address to Ethernet address mappings are done by making
ARP requests, they'll probably show up in Wireshark as ARP traffic.

> The other traffic in the capture is a high volume of (failed) DNS
lookups
> from your PC to a host called xxz0n3dxx.dyndns.org. I've confirmed this
DNS
> entry doesn't exist,

Or, at least, it didn't exist at the time you tried it.  "dyndns" stands
for "Dynamic DNS"; one service that DynDNS provides is free Dynamic DNS:

                 http://www.dyndns.com/services/dns/dyndns/

which lets you register a given IP address, even if it's not a static IP
address, with a particular host name.  That page indicates what that can
be used for.

Now:

> but I'm wondering if you might have some malware on
> your PC which is trying to "phone home".

...why some software on his machine is trying to contact that machine is
another question; perhaps it's safe, but perhaps it's not.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



- -------------------------

CONFIDENTIALITY NOTICE: The information in this message may be proprietary
and/or confidential, and is intended only for the use of the individual(s)
to whom this email is addressed.  If you are not the intended recipient, you
are hereby notified that any use, dissemination, distribution or copying of
this communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to this
email and deleting this email from your computer.  Nothing contained in this
email or any attachment shall satisfy the requirements for contract
formation or constitute an electronic signature.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users