Wireshark running on a server seeing lots of `ARP who has` with different tells

networking arp wireshark

This is normal, especially if whatever at 10.10.0.40 is turned off or disconnected. For example, if 10.10.0.40 is a DNS server and everyone is configured to use it as their primary DNS server then you will get a lot of machines asking for that address. But since it's not on, they will ask a lot and get no response.


That doesn't look out of the ordinary to me, assuming that your 10.10.0.40 address belongs to a sever / printer / other shared resource and your users are on the same subnet & switch.


As suggested by Tim Brigham, this is not out of the ordinary. The devices are doing ARP requests to get the MAC address (layer 2 address) for the 10.10.0.40 address. By having the MAC address, the hosts will be able to connect to it directly, without having to include a Layer3 hop.

For example, if all hosts are on the same subnet and same switch, the machines can connect to 10.10.0.40 without going to a router first (which is necessary for connections on a different network).

Related

What is the cause of "application pool exceeded time limits during shut down"?
How to use realmd in Ubuntu 14.04 LTS to join an Active Directory domain?
How do I block inheritance/application of a single GPO?
Why might the Jenkins user not have permission to access the Docker unix socket?
No space left on device after growing filesystem
SAN with a few SSD drives, or lots of old fashioned HDDs?
Postfix Recipient address rejected: Access denied Error
Ansible: a host appears in more than one group, and both groups have the same tasks in them; any way to run tasks once?
What does MX in SPF mean? [duplicate]
Backup of running KVM qcow2 VPS
Best choice for NTP client configuration
Where does finger connect to by default?