Menu
Reply
jamesmacwhite
  • 102
  • 5
  • 41
Up to speed
689 Views
Message 1 of 4
Flag for a moderator

Is the amount of ARP traffic I'm receiving normal on Cable Broadband?

I was using tcpdump to debug something earlier on my router and noticed my WAN is getting a lot of ARP request traffic, reading into a bit, it suggests this is common on Cable Broadband by design, but after writing the ARP request traffic to a log file, I'm receiving around 80/90 ARP requests per second from VM's network.

This is what the traffic looks like, I have masked the rDNS as they will be VM customers

 

 

16:22:26.779648 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.804625 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.835882 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.860832 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.879649 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.898391 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.904566 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.942222 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.960876 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:26.967125 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:27.017140 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:27.023362 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:27.029668 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46
16:22:27.035889 ARP, Request who-has cpcxxxxxx-xxxxxx-x-x-custxx.xx-x.cable.virginm.net tell cpcxxxxxx-xxxxx-x-x-gw.xx-x.cable.virginm.net, length 46

 

 

 

If the rDNS wasn't obvious, it looks like it is coming from the cable modem side, as the MAC address identifies as Cadant when viewing Wireshark, which is related to Arris, which I'm sure a lot of us know, is the vendor for the Hub3, but this appears to be the CMTS in VM's network.

jamesmacwhite_0-1601221253156.png

Is this normal? The amount of ARP traffic seems a lot, but it does seem to be something that tends to be the case with cable broadband by the looks of it when reading a few resources.

0 Kudos
Reply
Anonymous
Not applicable
681 Views
Message 2 of 4
Flag for a moderator
Helpful Answer

Re: Is the amount of ARP traffic I'm receiving normal on Cable Broadband?

yes its normal
0 Kudos
Reply
jamesmacwhite
  • 102
  • 5
  • 41
Up to speed
667 Views
Message 3 of 4
Flag for a moderator

Re: Is the amount of ARP traffic I'm receiving normal on Cable Broadband?

Quick response, thank you! I came across an interesting post about it: https://www.dslreports.com/forum/r25953464-TWC-Cadant-CMTS-wth-Hudson-Valley-NY, which has some further information as to the reason why you might see so many ARP requests.

https://www.dslreports.com/faq/4251

Interesting if you like this kind of thing!

0 Kudos
Reply
legacy1
  • 16.25K
  • 710
  • 1.6K
Alessandro Volta
649 Views
Message 4 of 4
Flag for a moderator

Re: Is the amount of ARP traffic I'm receiving normal on Cable Broadband?

The CMTS im on don't do this type of ARP the only ARP I see is when I ARP to the gateway or ARP to a IP in the subnet. So its just the way the gateway is setup or has to be setup.

---------------------------------------------------------------
0 Kudos
Reply