Many ARP requests in TCP dump – Valuable Tech Notes

I have been experiencing very slow upload speeds on my cable network lately. I ran a tcpdump and found many ARP requests. I'm not sure what process they are coming from, but could this be related to the slow upload speeds, and do these look "normal" for typical cable connection (where I'm the only user connected currently)?

Thanks!

listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:49:04.002684 ARP, Request who-has 68-118-243-118.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:04.171720 ARP, Request who-has 68-118-253-79.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:04.291645 ARP, Request who-has 68-114-89-108.static.oxfr.ma.charter.com tell 68-114-89-1.static.oxfr.ma.charter.com, length 46
12:49:04.502923 ARP, Request who-has 68-118-251-131.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:04.741602 ARP, Request who-has 68-191-76-23.dhcp.oxfr.ma.charter.com tell 68-191-76-1.dhcp.oxfr.ma.charter.com, length 46
12:49:04.911616 ARP, Request who-has 66-189-59-193.dhcp.oxfr.ma.charter.com tell 66-189-56-1.dhcp.oxfr.ma.charter.com, length 46
12:49:04.922207 IP 68-118-240-1.dhcp.oxfr.ma.charter.com.bootps > broadcasthost.bootpc: BOOTP/DHCP, Reply, length 302
12:49:04.972062 ARP, Request who-has 66-189-58-93.dhcp.oxfr.ma.charter.com tell 66-189-56-1.dhcp.oxfr.ma.charter.com, length 46
12:49:04.988999 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.65456 > vip01oxfrma.oxfr.ma.charter.com.domain: 30885+ PTR? 118.243.118.68.in-addr.arpa. (45)
12:49:05.015549 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.65456: 30885 1/4/4 PTR 68-118-243-118.dhcp.oxfr.ma.charter.com. (234)
12:49:05.017837 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.54271 > vip01oxfrma.oxfr.ma.charter.com.domain: 19969+ PTR? 108.89.114.68.in-addr.arpa. (44)
12:49:05.041656 ARP, Request who-has 68-118-247-67.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.049876 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.54271: 19969 1/4/4 PTR 68-114-89-108.static.oxfr.ma.charter.com. (234)
12:49:05.051739 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.63229 > vip01oxfrma.oxfr.ma.charter.com.domain: 20205+ PTR? 131.251.118.68.in-addr.arpa. (45)
12:49:05.079028 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.63229: 20205 1/4/4 PTR 68-118-251-131.dhcp.oxfr.ma.charter.com. (234)
12:49:05.081525 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.50529 > vip01oxfrma.oxfr.ma.charter.com.domain: 6279+ PTR? 193.59.189.66.in-addr.arpa. (44)
12:49:05.108656 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.50529: 6279 1/4/4 PTR 66-189-59-193.dhcp.oxfr.ma.charter.com. (232)
12:49:05.111850 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.62520 > vip01oxfrma.oxfr.ma.charter.com.domain: 6811+ PTR? 93.58.189.66.in-addr.arpa. (43)
12:49:05.121518 ARP, Request who-has 68-118-252-16.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.173916 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.62520: 6811 1/4/4 PTR 66-189-58-93.dhcp.oxfr.ma.charter.com. (230)
12:49:05.201511 ARP, Request who-has 68-118-251-2.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.291734 ARP, Request who-has 68-114-83-97.dhcp.oxfr.ma.charter.com tell 68-114-83-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.542707 ARP, Request who-has 68-118-251-133.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.642470 ARP, Request who-has 68-112-226-74.static.oxfr.ma.charter.com tell 68-112-226-65.static.oxfr.ma.charter.com, length 46
12:49:05.677856 ARP, Request who-has 68-191-78-74.dhcp.oxfr.ma.charter.com tell 68-191-76-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.711651 ARP, Request who-has 68-114-83-87.dhcp.oxfr.ma.charter.com tell 68-114-83-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.831579 ARP, Request who-has 68-118-252-141.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.865214 ARP, Request who-has 68-114-83-79.dhcp.oxfr.ma.charter.com tell 68-114-83-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.891413 ARP, Request who-has 66-189-58-111.dhcp.oxfr.ma.charter.com tell 66-189-56-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.962120 ARP, Request who-has 68-118-249-42.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:05.982966 ARP, Request who-has 68-118-244-10.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.081588 ARP, Request who-has 68-118-247-67.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.182009 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.62503 > vip01oxfrma.oxfr.ma.charter.com.domain: 4739+ PTR? 74.226.112.68.in-addr.arpa. (44)
12:49:06.191522 ARP, Request who-has 68-118-249-113.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.207321 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.62503: 4739 1/4/4 PTR 68-112-226-74.static.oxfr.ma.charter.com. (234)
12:49:06.211399 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.60872 > vip01oxfrma.oxfr.ma.charter.com.domain: 59078+ PTR? 141.252.118.68.in-addr.arpa. (45)
12:49:06.222200 ARP, Request who-has 68-118-252-1.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.239417 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.60872: 59078 1/4/4 PTR 68-118-252-141.dhcp.oxfr.ma.charter.com. (234)
12:49:06.240915 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.60890 > vip01oxfrma.oxfr.ma.charter.com.domain: 28037+ PTR? 79.83.114.68.in-addr.arpa. (43)
12:49:06.255483 ARP, Request who-has 66-189-4-153.dhcp.oxfr.ma.charter.com tell 66-189-4-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.262555 ARP, Request who-has 68-118-248-106.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.266299 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.60890: 28037 1/4/4 PTR 68-114-83-79.dhcp.oxfr.ma.charter.com. (230)
12:49:06.267768 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.61212 > vip01oxfrma.oxfr.ma.charter.com.domain: 106+ PTR? 111.58.189.66.in-addr.arpa. (44)
12:49:06.292326 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.61212: 106 1/4/4 PTR 66-189-58-111.dhcp.oxfr.ma.charter.com. (232)
12:49:06.293768 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.56911 > vip01oxfrma.oxfr.ma.charter.com.domain: 13472+ PTR? 42.249.118.68.in-addr.arpa. (44)
12:49:06.302025 ARP, Request who-has 68-118-246-46.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.325283 IP vip01oxfrma.oxfr.ma.charter.com.domain > 66-189-7-87.dhcp.oxfr.ma.charter.com.56911: 13472 1/4/4 PTR 68-118-249-42.dhcp.oxfr.ma.charter.com. (232)
12:49:06.614851 IP sjc-not9.sjc.dropbox.com.http > 66-189-7-87.dhcp.oxfr.ma.charter.com.51878: Flags [P.], seq 957278744:957278923, ack 4016371518, win 501, options [nop,nop,TS val 190644564 ecr 789980198], length 179
12:49:06.614951 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.51878 > sjc-not9.sjc.dropbox.com.http: Flags [.], ack 179, win 65535, options [nop,nop,TS val 789980757 ecr 190644564], length 0
12:49:06.618585 IP 66-189-7-87.dhcp.oxfr.ma.charter.com.51878 > sjc-not9.sjc.dropbox.com.http: Flags [P.], seq 1:237, ack 179, win 65535, options [nop,nop,TS val 789980757 ecr 190644564], length 236
12:49:06.719929 IP sjc-not9.sjc.dropbox.com.http > 66-189-7-87.dhcp.oxfr.ma.charter.com.51878: Flags [.], ack 237, win 501, options [nop,nop,TS val 190644575 ecr 789980757], length 0
12:49:06.742127 ARP, Request who-has 68-118-245-163.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.792002 ARP, Request who-has 68-114-83-126.dhcp.oxfr.ma.charter.com tell 68-114-83-1.dhcp.oxfr.ma.charter.com, length 46
12:49:06.901770 ARP, Request who-has 68-114-89-97.static.oxfr.ma.charter.com tell 68-114-89-1.static.oxfr.ma.charter.com, length 46
12:49:06.988708 ARP, Request who-has 68-118-252-37.dhcp.oxfr.ma.charter.com tell 68-118-240-1.dhcp.oxfr.ma.charter.com, length 46

Best Answer

You're seeing those on your outside interface. The various gateway systems on your broadcast domain (the address in the tell _____ section of the ARP line) are sending those requests to find what MAC address has a specific IP.

While it's a little odd that they're letting you see all this traffic (and potentially maliciously respond to the ARP requests - I hope they have some additional layer of security there), 10-20 per second as you have here should have absolutely no impact on performance. Worry if it gets into the thousands.

Best Answer

Related Solutions

Software to Generate False ARP Requests

Switch – No answer on arp requests

Related Topic