SUMMARY: How can I know an ARP request is generated by which process?

From: Jeremy Jin _at_ Nucleus <_at_>
Date: Thu Sep 25 2003 - 17:22:06 EDT
Thanks for the following people who replied,

Eliezer Ramm
Darren Dunham
Gerald Combs
Thomas M. Payerle

Original Post of Question
> I use snoop to monitor my network and find there are many request "ARP C
> is", but actualy is old machine and I removed
> one year ago. I tried to find any configuration which still has
> but found nothing. So is there any way to find which process
> generate these requests, and then I can easily find why it continues to
> generate the requests.


ARP is not generated by application, but system. So probably no way to find
which process is related to an ARP request.

Some people think it is caused by ARP cache and suggust to check(and change)
kernel setting.

# ndd -set /dev/arp arp_cleanup_interval <time>
# ndd -set /dev/ip ip_ire_cleanup_interval <time>

or check /var/statmon/sm for an entry for the stray IP.

But this problem seems not be caused by cache (cache won't last as long as 1
year, I didn't see any exception there.

So some other people suggest a trick to analyze this issue,

   > Grab a machine (*not* this one) and bring up that address as a
   > virtual address (or the only one if it's a throwaway).
   > Then you can actually have the ARP answered, and you can snoop for
   > the next packet which should have a TCP/UDP port and give you more
   > information about it...

This is really good trick. But after I did that and use snoop for that IP
address, i got nothing. Probably because the sender computers don't send
request to that IP address any more after it know who it is and has no
required service. To some extent, my problem is solved, because the
computers won't send so many ARP requests now.
sunmanagers mailing list
Received on Thu Sep 25 17:21:59 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:20 EST