• March 29, 2024, 08:33:16 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: arp flooding??  (Read 16492 times)

sefflu

  • Level 1 Member
  • *
  • Posts: 4
arp flooding??
« on: February 16, 2013, 02:34:07 AM »

Hi,

I found my dir-601 router keeps making arp query to all ip addresses in same network periodically.
all dhcp clients are general laptops and smart phone, I don't think there are any arp cheats attack on those  devices.

is it normal?
model: DIR-601
hardware version: B1
firmware version : 2.00NA

Please find the wireshark screenshot.
https://www.dropbox.com/s/4fuahffeqr36xvp/dir_router.png
« Last Edit: February 16, 2013, 02:40:36 AM by sefflu »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: arp flooding??
« Reply #1 on: February 16, 2013, 09:08:03 AM »

Link>Welcome!

What region are you located?
Are you wired or wireless connected to the router?
Has a Factory Reset been performed?

What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?

Some things to try: - Log into the routers web page at 192.168.0.1. Use IE, Opera or FF to manage the router.
Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting.
Ensure devices are set to auto obtain an IP address.
Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Enable uPnP and Multi-cast Streaming under Advanced/Networking. Disable uPnP for testing Port Forwarding rules.
WAN Port Speed set to Auto or specific speed? Some newer ISP modems support 1000Mb so manually setting to Gb speeds can be supported by the router. Advanced/Advanced Networking/WAN Port Speed
Set Time and Time Zone under Tools/Time.

Ensure all PCs are scanned for Malware and Viruses.
« Last Edit: February 16, 2013, 09:09:43 AM by FurryNutz »
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

sefflu

  • Level 1 Member
  • *
  • Posts: 4
Re: arp flooding??
« Reply #2 on: February 16, 2013, 03:55:51 PM »

btw, I found this thread
http://forums.dlink.com/index.php?topic=14857.0

I am in bay area, CA, USA and using comcast cable network with a stand alone modem.

I also found another problem, the web service daemon seems crash after awhile, I have to reboot it to get web service back...

I did disable the QoS stuff for gaming.
Logged

Hard Harry

  • Guest
Re: arp flooding??
« Reply #3 on: February 16, 2013, 05:12:31 PM »

btw, I found this thread
http://forums.dlink.com/index.php?topic=14857.0

I am in bay area, CA, USA and using comcast cable network with a stand alone modem.

I also found another problem, the web service daemon seems crash after awhile, I have to reboot it to get web service back...

I did disable the QoS stuff for gaming.

Well what is IP 192.168.77.1? A computer on your LAN? Gateway for your LAN? Its not default 192.168.0.100-199.
Logged

sefflu

  • Level 1 Member
  • *
  • Posts: 4
Re: arp flooding??
« Reply #4 on: February 16, 2013, 08:08:15 PM »

well, I change the network to 192.168.77.*, and the 192.168.77.1 is the DIR-601 device. yea, gateway for my LAN.
Logged

Hard Harry

  • Guest
Re: arp flooding??
« Reply #5 on: February 16, 2013, 08:34:38 PM »

Well I wouldn't say its "normal" but I wouldn't say its too problematic. Is it doing it on boot? Or constantly? If the later, yea, that could be a issue. If its doing at boot or a couple times a hour, thats normal. You can try setting your DHCP to not always broadcast, but its not all that important.
Logged

sefflu

  • Level 1 Member
  • *
  • Posts: 4
Re: arp flooding??
« Reply #6 on: February 17, 2013, 05:21:58 PM »

Thanks for your reply

it's constantly and periodically.

hmm...should I try to update firmware?
Logged

Hard Harry

  • Guest
Re: arp flooding??
« Reply #7 on: February 17, 2013, 06:04:23 PM »

Well basically that kind of traffic occurs any time the router gets a request for a IP that it doesn't have in it's routing table. Thats why it happens alot of boot, since all the routing tables are cleared, yet there can still be traffic on the network. The "Always Broadcast" feature of the DHCP server in the router broadcasts the response for a IP to all IP's in range, and not just to the one making the request. So you would see a increase in misc traffic over the network, but It would be DHCP protocol, not ARP.

After digging around, I see others have had similar issues, usually the request is coming from computers, not the router. And usually network scanning applications. Wireshark is exactly that, so I wonder if maybe the very tool your using to troubleshoot the issue, is causing the issue. What was the symptom that lead you to use Wireshark to start with?

I also found this thread, and someone with a DIR-632 and the same problem, but no solution. It is quite possible its just hard coded into the router's DHCP server. You can try a firmware update, but I have a feeling it won't change anything. In the end, I don't think its service effecting.
Logged

thisistherun

  • Level 1 Member
  • *
  • Posts: 4
Re: arp flooding??
« Reply #8 on: December 17, 2013, 09:42:49 PM »

i will be joing the flood of ARP request party

mine is requested from the router
been pulling a lot of hairs trying to resolve this

.1 = router
.7 = client

Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: arp flooding??
« Reply #9 on: December 18, 2013, 07:36:38 AM »

Link>Welcome!

  • What Hardware version is your router? Look at sticker under router.
  • Link>What Firmware version is currently loaded? Found on the routers web page under status.
  • What region are you located?

Internet Service Provider and Modem Configurations
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?
  • What ISP Modem service link speeds UP and Down do you have?
  • Check ISP MTU requirements, Cable is usually 1500, DSL is around 1492 down to 1472. Call the ISP and ask. Link>Checking MTU Values
  • For DSL/PPPoE connections on the router, ensure that "Always ON" option is enabled.

Router and Wired Configurations
Some things to try: - Log into the routers web page at 192.168.0.1. Use IE, Opera or FF to manage the router.
  • Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options, Advanced/QoS or Gamefuel.
  • Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual or under Setup/PARENTAL CONTROL/Set to>None: Static IP or Obtain Automatically From ISP.
  • Enable Use Unicasting (compatibility for some ISP DHCP Servers) under Setup/Internet/Manual.
  • Turn on DNS Relay under Setup/Networking. Link>Finding Faster DNS Addresses using Name Bench
  • Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting.
  • Ensure devices are set to auto obtain an IP address.
  • Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall. Enable or Disable SPI to test.
  • Disable uPnP and Multi-cast Streaming under Advanced/Networking. As a test to see if this does anything.
  • Turn off WISH, and WPS under Advanced.
  • Set current Time Zone, Date and Time. Use an NTP Server feature. Tools/Time.

Is this the only PC connected that exhibits this? I'd check the PC for any malware or mis-configurations on the network. Boot the Pc into Safe Mode with Networking and check again for ARPg.

i will be joing the flood of ARP request party

mine is requested from the router
been pulling a lot of hairs trying to resolve this

.1 = router
.7 = client


Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

thisistherun

  • Level 1 Member
  • *
  • Posts: 4
Re: arp flooding??
« Reply #10 on: December 18, 2013, 10:09:08 AM »

hello, Furry
 
What Hardware version is your router? Look at sticker under router.
A1

Link>What Firmware version is currently loaded? Found on the routers web page under status.
1.01

What region are you located?
East of Canada

Internet Service Provider and Modem Configurations

What ISP Service do you have? Cable or DSL?
Cable

What ISP Modem Mfr. and model # do you have?
Thomson RCA DCM425

http://www.timewarnercable.com/en/residential-home/support/faqs/faqs-equipment-and-instruction-manuals/modems/thomsonrca/thomsonrca-dcm425.html

What ISP Modem service link speeds UP and Down do you have?
18Mbps down / 0.6 Mbps up
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: arp flooding??
« Reply #11 on: December 18, 2013, 12:17:00 PM »

Let us know any results of malware on PCs.

You might try leaving the PCs connected to the router, then unplug the WAN cable from the ISP modem...do you still see ARPg?

Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

thisistherun

  • Level 1 Member
  • *
  • Posts: 4
Re: arp flooding??
« Reply #12 on: December 21, 2013, 06:35:13 AM »

unplugging WAN cable from modem, the ARP is still there
the router's interface is mess up now, lol

Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: arp flooding??
« Reply #13 on: December 21, 2013, 10:15:09 AM »

3rd Party Security Software Configurations
  • Turn off all anti virus and firewall programs on PC while testing. 3rd party firewalls are not generally needed when using routers as they are effective on blocking malicious inbound traffic.

Then...

Web Browser Configurations
What browser are you using?
Try Opera or FF? If IE 8, 9, 10 or 11, set compatibility mode and test again.
Disable any security browser Add-ons like No Script and Ad-Block or configure them to allow All Pages when connected to the router.
Clear all browser caches.
Try turning off these features in Chrome:
Top right corner, little bars for options > Settings > Settings (on left) > Show advanced settings.
Uncheck these:
Use a web service to help resolve navigation errors
Use a prediction service to help complete searches and URLs typed in the address bar
Predict network actions to improve page load performance
Enable phishing and malware protection

I recommend that you check your PC for malware or test with a different PC to see if same thing is happending. You might reload FW using the following process:
FW Update Process
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

thisistherun

  • Level 1 Member
  • *
  • Posts: 4
Re: arp flooding??
« Reply #14 on: December 21, 2013, 02:22:13 PM »

I use firefox and chrome
I only use windows firewall

I did uncheck the those options in chrome
cleared all cache

and start capturing packet, it's still occuring

I'll test a different client when my brother is back before I consider reloading the firmware

Logged