I am looking at a 200-second trace with 10,511 packets, in this case there are 7,720 ARP packets (73.45%). Can I take it easy? What can I do to reduce those ARP packets in the network's traffic?
<-----Original Message----->
From: Ian Schorr [wireshark-users@xxxxxxxxxxxxx]
Sent: 22/7/2009 6:22:22 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Why are there a lot of ARP traffic inanetwork?
I've found people (especially those that don't analyze traffic often) frequently misinterpret traffic volumes during idle periods.
I've had people tell me "it looks like the network is suddenly flooded with broadcasts", to find that they were simply looking at a capture of a time where not much was happening.
For example, they might be looking at a 100-second trace where the host they were monitoring was busy, then relatively idle for a 90 second period, then busy again. As they browse through a packet list, they'd see that the first 4,000 packets might be primarily host-specific data, then the next 4,000 primarily ARPs and CDP packets and BPDUs and things, and then host data again. So "obviously" there's suddenly a period where there are a "lot" of broadcasts. But they don't notice that the deltas between each packet has changed, and so even though the packet list suddenly shifted to being mostly broadcast traffic, the RATE of ARPs and things didn't change. But psychologically they just don't see it that way - they just see that suddenly the percentage of broadcast packets is suddenly different. It's pretty common, partly a result of the way the packet list is presented. I do it sometimes myself.
All I'm saying is that when you say "a lot of ARP" traffic, is it really "a lot"? Or do you just see MOSTLY ARP (and maybe other broadcast) traffic because there's not much else going on the network segment you're monitoring? How many ARPs do you see per second?
El mejor servicio de email de clase mundial ahora en M�xico. Con�ce Mail2World.
