3

I have this problem: arp table filling up

But I am quite sure that I cannot blame Kaspersky.

Scenarie:

  • a user plugs his computer in.
  • He waits and waits but are getting no IP by DHCP.
  • Then he is told there is an IP conflict...
  • He end up assigning himself a static IP to access the net

In the ARP table of the router I see:

192.168.24.144  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.145  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.181  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.150  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.151  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.152  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.156  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.157  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.159  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.160  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.130  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.132  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.164  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.137  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.140  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.206  00:16:41:42:3c:9e   Lenovo  LAN

The last .206 is the static address he gave himself.

Several users descripe the exact same problem. It started after removing some filters in the switches, så all users are on a LAN and can see each other. Before, when filters blocked access to each others computers no one reported this kind of behavior.

UPDATE

While a client tries to connect the ARP table gets filled up. After a short while I have checked the ARP table where the multible listing has been removed again. I have also checked DHCP leases where none of the IPs were listed as active or expired. So it seems that an IP was never assigned even though there was created an ARP entry in the ARP table

UPDATE2

I ended up replacing the router and the problem has not been reported again. Thanks for all feedback

Community
  • 1
Tillebeck
  • 511
  • 1
  • 4
  • 19
  • What exactly is your question and what are you asking for help with? Also, what kind of ethernet switch do you have (manufacturer and model number, please)? – Mike Pennington Jun 25 '12 at 23:45

1 Answers1

4

Can you locate that computer with that mac? It is possible that there is a virus/worm on that machine, taking over all IPs. Check the dhcp logs too. Another posibility is that someone is running some hacking/DoS tools there. Check the machine with the antivirus.

Another possibility is that this is an android tablet/phone which sends a dhcp request but never releases the old IP, and ends up using all the IPs in the dhcp range. This was a known bug on some android versions/implementations.

The third posibility is that someone is running an ARP proxy on that machine for a good/bad reason, and is responding to all ARP requests.

Before you can find and isolate that machine with that mac, we can just guess.

mulaz
  • 10,682
  • 1
  • 31
  • 37
  • I know the machine. And a few others to with same problem. When they try to connect to the net it takes a loooong time and while they try to connect the ARP table gets longer and longer with one IP after the other. – Tillebeck Jun 25 '12 at 21:05
  • it is a desktop Lenovo machine running windows. I will check what anti virus is installed. – Tillebeck Jun 25 '12 at 21:15
  • 2
    @Tillebeck, instead of looking at anti-virus software, you take a step that might completely rule out software as an issue by booting a livecd. If a Linux livecd gets the IP address and works fine, then something about the install is screwed up. – Zoredache Jun 25 '12 at 22:27
  • Ok, thanks. Of about 100 computers about 4 reported problems. There are probably more (rare that all report errors). Thought it was so high a number that I guessed it to be a network issue rather than multible client issue – Tillebeck Jun 25 '12 at 22:45