OK, I've scoured the 'net already for possible solutions and have found none. Maybe you guys can help me.
I have a Windows Server 2003 setup, with a fixed IP on a routed LAN, standard /24 network.
The server works fine, with the exception of one rather important annoyance: It ARP scans the entire subnet (all 256 addresses except its own) every 20-30 seconds, in two bursts of 128 addresses 10-15 seconds apart. This causes unnecessary and excessive ARP traffic on my LAN (up to 40% of all packets if the LAN is not heavily used).
The requests sent are standard ARP discovery requests with a broadcast MAC and sequential IP addresses in the LAN subnet (not gratuitous). None of the other devices or machines on the subnet are displaying this behaviour (Win XP, Win7, several routers, etc.) so it is something specific to Win Server 2003.
How do I stop it from constantly scanning the subnet for new MAC/IP combinations? I've already tried manually setting the ARP Cache timings on the NIC interface (in the registry) to 600 seconds but the server completely ignores that, apparently.
Best Answer
That sounds utterly bizarre. Are you certain you don't have any "unwanted" software, or software that's performing an "unwanted" function on the machine?
Sequential scans sound like either a piece of malicious software doing network scans, or some type of misguided network "management" running scans. Either way, that's not a stock behavior of Windows Server 2003. I recall Kyle Brandt describing the problems he saw the Broadcom drivers causing spurious ARPs, but if I recall properly there wasn't even a hint of sequential scanning to those ARPs.
Microsoft Network Monitor 3 or Process Monitor may be able to pin down the process on the machine that's actually generating the traffic. I'd lean toward Network Monitor, first.