First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

ARP Delay when pinging a local machine

This problem was presented to me by one of my professors because it only happened after switching from 100Mb cards to Gigabit NICs. The second arp request that comes from the computer being pinged (to send a reply back) doesn't get sent until after the pings have gone through. I decided to do some testing at home with a couple VMs and see if I could find the cause. After clearing the arp cache on both machines (arp -d) and pinging I got the same results as my professor, but I can't seem to figure out why. I did some googling and found someone with a similar issue using linux (I'm using Windows 10), it said something about there being a stale entry within the arp table as well as something called a first probe delay, but I was never able to find any information about either of those things for Windows. Does anyone know why this might be happening?

Example of what I captured with Wireshark

SkyParrillo's avatar
1
SkyParrillo
asked 2018-09-23 22:28:24 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Why do you call it an "issue" or "problem"? I can't see any problem here. It's rather an implementation.

To figure out why it's happening I suspect it's needed to review kernel source code (for Linux) or ask a question on some Windows Developer forum (for Windows). I performed some tests and have found absolutely similar behavior with Windows 7, x64 Centos, ARM 32-Bit Linux with any speeds, no matter 100Mbit/s or 1G.

ARP queries from PC being pinged are directed, so it seems they're aimed to perform some ARP table maintaining.

Check this very informative tread also.

Packet_vlad's avatar
1.1k
Packet_vlad
answered 2018-09-24 08:25:12 +0000, updated 2018-09-24 08:35:44 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I imagine that the NICs being changed had little to do with it, but was the only thing he had changed in the lab computers before seeing this change. We assumed it would be 2 arp requests at the top so both machines can retrieve the mac address of the other system. So it would go something like:

  1. ARP Request
  2. ARP Reply
  3. ICMP Packet Send
  4. ARP Request
  5. ARP Reply
  6. ICMP Packet Recieved
  7. ICMP Packet Sent
  8. ICMP Packet Recieved

I'm assuming the computer is smarter than that and can do the first 5 packets or so in a single arp request, not sure if a protocol has changed within a windows machine or if it's simply because there was an issue with the previous cards.

I also saw that thread during my googling before posting this question, I was just hoping someone could explain a bit better as to ... (more)

SkyParrillo's avatar SkyParrillo (2018-09-24 15:19:20 +0000) edit
more
  • delete

Don't forget that PC being pinged does not need to do ARP request at all, it just takes source MAC from incoming ICMP packet (or even before from incoming very first ARP request) and places it in "destination MAC" field of the ARP and later ICMP reply.

This is why I thought about some additional maintaining/verifying process.

Packet_vlad's avatar Packet_vlad (2018-09-24 17:33:22 +0000) edit
more
  • delete

Did some more tests: Ubuntu 18.04, Debian with Kernel 2.6.32, Mobotix IP camera (Linux based), Kernel 2.6.37, Rubytech Gigabit PoE switch with custom FW, Angstrom Linux ARM.

So, the pattern is quite consistent.

Whereas ESXi 5, Cisco IOS 12 - the pattern was not observed.

Packet_vlad's avatar Packet_vlad (2018-09-25 09:56:21 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer