Author: Stefan Krusche Date: To: dng Subject: Re: [DNG] how to investigate constant outgoing ARP traffic - TX:
~7K/s
Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp: > There is some misunderstanding: The ARP package has nothing to do
> with DNS.
That's what I've been thinking and why I asked.
> It basicly links MAC to IP - and you can do funny things
> with it.
Okay, I still can't seem to connect the dots…
> tcpdump just makes the name resolution for you, use "tcpdump
> -n" to go without it. e.g.:
>
> # tcpdump -n
> 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1,
> length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at
> 00:1b:77:53:6c:43, length 28
Alright. What attracts my attention is, that here length is 28 just
like the ARP message format is explained on the site you recommended
where it is 46 on my machine:
$ sudo tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length 46
10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46
Is this relevant in any way related to exaggerated ARP requests?
> arp cache should only have as many entries as ather mac adresses are
> active in your part of the lan. If you are alone on your router, then
> it's just you routers mac in the cache.