First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

No traffic seen in Wireshark when I run arp -a

OS: W10 64 bit Command prompt ran as admin Wireshark ran as admin Wireshark versions tested: local install of 3.4.6 and portable 3.4.5

I start the wireshark capture and then proceed to run a few arp -a requests in command prompt so I can analyze the traffic in wireshark. However, when I go to wireshark the ARP protocol traffic does not appear. Using display filter arp or using the sort function to hopefully see the arp traffic at the top with no luck.

At times some arp traffic appears but not consistently. If it does appear as Arp protocol traffic then I see the MAC ID as all 0's or the MAC ID of my router. I would think that I would see arp traffic from a broadcast MAC of all f's.

Question:

Why can't I see consistent arp traffic being captured in wireshark when I run the capture and run the command arp -a? Also, why isn't the broadcast mac ID of all f's present in the capture of the arp traffic when it does inconsistently appear?

Any help will be greatly appreciated - thanks!

networkingisfun's avatar
3
networkingisfun
asked 2021-06-07 15:05:51 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2021-06-07 22:51:19 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do NOT run Wireshark with elevated privileges, it's not required and a potential security risk. See Wireshark Security for more info.

What interface are you capturing on?

grahamb's avatar grahamb (2021-06-07 15:13:49 +0000) edit
more
  • delete

Thanks for the tip and reply.

I am capturing on the ethernet interface.

networkingisfun's avatar networkingisfun (2021-06-07 15:53:04 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

arp -a is a passive action showing the contents of the local ARP cache.

You can use arp -d to remove individual entries or the whole cache with arp -d *
If there is no entry in the cache, then something needing to access a local (on same subnet) IP address (like ping) will force an ARP request.
In the example below there is only one interface. The subnet is determined from the Default Gateway and Subnet Mask.

arp -d will require Admin permissions.

https://docs.microsoft.com/en-us/wind...

https://docs.microsoft.com/en-us/wind...

C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig  | findstr /I gateway
   Default Gateway . . . . . . . . . : 192.168.200.1

C:\WINDOWS\system32>ipconfig  | findstr /I mask
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.2         74-83-xx-xx-xx-xx     dynamic
  192.168.200.37        00-0c-xx-xx-xx-xx     dynamic
  192.168.200.100       bc-8c-xx-xx-xx-xx     dynamic
  192.168.200.205       c8-3a-xx-xx-xx-xx     dynamic
  192.168.200.209       c8-3a-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static
  239.255.255.250       01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>arp -d *

C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>
C:\WINDOWS\system32>ping 192.168.200.244

Pinging 192.168.200.244 with 32 bytes of data:
Control-C
^C
C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.37        00-0c-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>ping 192.168.200.7

Pinging 192.168.200.7 with 32 bytes of data:
Reply from 192.168.200.7: bytes=32 time=3ms TTL=64

Ping statistics for 192.168.200.7:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 3ms, Average = 3ms
Control-C
^C
C:\WINDOWS\system32>arp -a

Interface: 192.168.200.135 --- 0xf
  Internet Address      Physical Address      Type
  192.168.200.1         f0-9f-xx-xx-xx-xx     dynamic
  192.168.200.7         b4-fb-xx-xx-xx-xx     dynamic
  192.168.200.37        00-0c-xx-xx-xx-xx     dynamic
  192.168.200.245       00-0c-xx-xx-xx-xx     dynamic
  224.0.0.22            01-00-xx-xx-xx-xx     static
  228.67.43.91          01-00-xx-xx-xx-xx     static

C:\WINDOWS\system32>
Chuckc's avatar
3k
Chuckc
answered 2021-06-07 16:17:25 +0000
grahamb's avatar
23.8k
grahamb
updated 2021-06-07 16:38:16 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks so much for the answer! Much appreciated!

networkingisfun's avatar networkingisfun (2021-06-07 16:22:00 +0000) edit
more
  • delete
add a comment see more comments
0

This is same for clients, servers, routers, etc. An ARP request is sent when there isn't an ARP entry for the destination address. The destination address is in the same subnet as the local interface. The exception is multicast because it uses a special MAC because it is not assigned to any device.

An example if your PC address is 192.168.1.2 subnet mask 255.255.255.0, gateway 192.168.1.1. The PC will check its ARP table for any traffic with the destination address in the range 192.168.1.0 - 192.168.1.254 excluding 192.168.1.2. The address 192.168.1.255 is broadcast and it is assigns ff:ff:ff:ff:ff:ff.

If the user was to try to ping 192.168.1.5, the PC checks the ARP table for 192.168.1.5. If it finds an entry, it uses the entry as the destination MAC. If there isn't an ARP entry, it must send ARP request. If it doesn't receive an ARP reply, the application will timeout.

If the user was to try to ping 8.8.8.8, the PC checks for an ARP entry for the gateway 192.168.1.1 (this is from my example). The destination mac address for 8.8,8,8 will be the MAC address for 192.168.1.1.

BigFatCat's avatar
31
BigFatCat
answered 2021-06-08 06:57:24 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer