1. The refresh period is never generally > 5 minutes, and the problem existed much longer than that.
2. We cleared ARP tables on the managed switch constantly.
3. We also cleared ARP on the windows machine "ARP -D *"
----- Original Message -----
Sent: Tuesday, November 30, 2004 3:46 AM
Subject: Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.

Switches keep track of which mac addresses are on which port for that switch, i.e. you have a table on the switch of mac address/port. It's possible that there are two entries in the switch table for the same mac address but different port. This could happen if you switched a mac card, for example. Switch tables are supposed automatically obselete their entries after a while, not sure on the details. Another idea is clear the arp table on your originating host, which will trigger an arp broadcast which might reset the switch table entry for the mac address in question.
----- Original Message -----
Sent: Monday, November 29, 2004 7:52 AM
Subject: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.

We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the author  assures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this.
Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply.
The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure.
Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software.
Additional details:
OS: Windows 2003
Network: Realtek 100MBps
Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap).
Off the top of my head I can suspect:
- buggy drivers
- winpcap bug
- some low-level registry setting changed
Thanks for any help

Regards, Matthew                 

Reply via email to