locked
UNKNOWN ARP Requests?? RRS feed

  • Question

  • hi, im receiving UNKNOW ARP requests from my router. It give me UNKNOWN and [MAC ADDRESS] in the source, and on protocol ARP??

    in the ARP table i can see the mac address is the same as the router on 192.168.0.1.

    any ideas why these would be coming through as unknow??

     

    Thanks!

     

    PS. another quick question

    I have a laptop on 192.168.0.26 and at the moment it is unable to access the internet (i havent had time to check it out yet) however, i can see multiple DNS connections from 192.168.0.26.

    AND, i had a active RDP connection from an unknow IP address? Im not sure what destination it was going to.

    sounds a bit dodge to me,

    Thanks!

    Saturday, October 22, 2011 11:46 PM

All replies

  • I'm thinking this is probably from a previous DNS or Wins requests that resolved the address as unknown.  Assuming you've captured this in one session you should see that traffic in the trace.  In particular, if you can save, reopen, and still see the issue, then for certain it's in the trace.  Just filter on (DNS or WINS) and see if you can see that name resolved.  If this still doesn't help, please copy and paste the expanded details for the ARP request.

    As for your other question, it's difficult to understand what is going on.  An active RDP session is very strange and it might be interesting to monitor that connection to see if any data is coming through.  Perhaps you can also map the IP address to a process that is listening with NetStat. 

    Thanks,

    Paul

    Monday, October 24, 2011 2:01 PM
  • Yea i have 2 unknow ARP requests. Give the MAC address, but still unresolved

    Any idea how to fix this? I can fine one MAC address in the ARP table but not the other!

     

    Cheers

    Tuesday, October 25, 2011 5:19 AM
  • Can you copy and past the ARP details so I can make sure I understand where Unknown is coming from?

    Paul

    Tuesday, October 25, 2011 3:01 PM
  • hope this helps!

     

    Frame: Number = 54066, Captured Frame Length = 60, MediaType = ETHERNET
    + Ethernet: Etype = ARP,DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-16-E3-5C-D8-67]
    + Arp: Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set.

      Frame: Number = 54066, Captured Frame Length = 60, MediaType = ETHERNET
    - Ethernet: Etype = ARP,DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-16-E3-5C-D8-67]
      - DestinationAddress: *BROADCAST [FF-FF-FF-FF-FF-FF]
         Rsv: (111111..)
         UL:  (......1.) Locally Administered Address
         IG:  (.......1) Group address (multicast)
      + SourceAddress: UNKNOWN 5CD867 [00-16-E3-5C-D8-67]
        EthernetType: ARP, 2054(0x806)
    + Arp: Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set.

      Frame: Number = 54066, Captured Frame Length = 60, MediaType = ETHERNET
    + Ethernet: Etype = ARP,DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-16-E3-5C-D8-67]
    + Arp: Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set.

     

    THANKS!

    Thursday, October 27, 2011 1:41 AM
  • I belvie this is just because we don't recognize the Vendor code.  In the latest version of the parsers, we leave that UNKNOWN part out.  So we should verify this.  Can you update to the latest parsers on http://nmparsers.codeplex.com and see if that changes the display?

    Thanks,

    Paul

    Thursday, October 27, 2011 2:33 PM
  • Hi paul thanks for you reply..

    i downloaded and installed the parsers from the link above, however im still getting multiple unknown arp requests.

    Any other ideas?? it used to work and i beleive the requests are from 192.168.0.1 my default gateway.

     

    Thanks!!

    Friday, October 28, 2011 12:35 PM
  • anymore ideas? PLEASE!
    Tuesday, November 1, 2011 8:47 AM
  • ???????

    seriously?

    Wednesday, November 2, 2011 10:25 AM
  • When I look in the globaltables.npl, I see that the vendor code is:

    case 0x0016E3: "ASKEY COMPUTER CORP.";

    So that's what should show up.  But I wonder if there's some file that isn't updating or a customer parser path that is messing things up.  I also notice that you have stub parsers for ARP, which is also strange.

    • Can you verify you have the Default parser profile selected under Parser profiles?
    • If the above was set already, can you send me the output of "nmcap /DisplayNPLPath"?
    • Would it be possible to share the trace (or at least saving out the one frame)?  I've found skydrive has worked for others in the past, but you might have another option you are familiar with.

    Thanks,

    Paul

    Wednesday, November 2, 2011 1:29 PM