When i run tcpdump in the gateway, i get a lot of arp requests originating from the gateway itself. I wonder know why this happens. How can i find the process that causes these arp requests?
$ tcpdump -n arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:51:03.662114 ARP, Request who-has 211.123.123.251 tell 211.123.123.242, length 28
16:51:03.954113 ARP, Request who-has 211.123.123.246 tell 211.123.123.242, length 28
16:51:04.002111 ARP, Request who-has 211.123.123.254 tell 211.123.123.242, length 28
16:51:04.518111 ARP, Request who-has 211.123.123.248 tell 211.123.123.242, length 28
16:51:04.954113 ARP, Request who-has 211.123.123.246 tell 211.123.123.242, length 28
16:51:05.002110 ARP, Request who-has 211.123.123.254 tell 211.123.123.242, length 28
16:51:05.518110 ARP, Request who-has 211.123.123.248 tell 211.123.123.242, length 28
16:51:06.002112 ARP, Request who-has 211.123.123.254 tell 211.123.123.242, length 28
16:51:06.210111 ARP, Request who-has 211.123.123.252 tell 211.123.123.242, length 28
16:51:06.518114 ARP, Request who-has 211.123.123.248 tell 211.123.123.242, length 28
16:51:07.114111 ARP, Request who-has 211.123.123.246 tell 211.123.123.242, length 28
16:51:07.210111 ARP, Request who-has 211.123.123.252 tell 211.123.123.242, length 28
16:51:07.314112 ARP, Request who-has 211.123.123.249 tell 211.123.123.242, length 28
Following is the gate config:
$ ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 6c:f0:49:a8:05:4c brd ff:ff:ff:ff:ff:ff
inet 211.123.123.242/28 brd 211.123.123.255 scope global eth0
inet6 fe80::6ef0:49ff:fea8:54c/64 scope link
valid_lft forever preferred_lft forever
In this subnet, only 211.123.123.242 (the gateway ip) is available, other ips (such as 211.123.123.246) are unavailable.
Update:
I can see traffic to these unavailable ips, i think this is the reason for these arps. Although i can't figure out yet why these traffic happens. Maybe the misconfigure in the isp providers.
$ tcpdump host 211.103.252.245
23:50:11.414705 IP 59.34.131.5.7099 > 211.123.123.245.17701: Flags [S.], seq 3745049197, ack 1625918577, win 8760, options [mss 1460], length 0
23:50:12.991258 IP 75.126.1.222.80 > 211.123.123.245.1078: Flags [S.], seq 651817046, ack 152032452, win 17473, length 0
Best Answer
This behavior is very common when you have a DHCP server running. The server probes addresses in the lease range to see which of them are free. There are also other network monitoring solutions that uses ARP to track which addresses are in use on a network.
As far as I know there is no system in Unix like systems to see which program initiates an arp request. You could possibly strace/ktrace/dtrace to find the system call.
In the end I would not worry too much about it. Large amount of ARP packets can cause problems, but only when it gets into the 1000pps range. A few packets a second is nothing to worry about.