Ricardo Caririo

Members
  • Content Count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Ricardo Caririo

  • Rank
    Newbie

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Shortly after installing Adaware on a Windows Server 2008 R2 machine we received the following from the hosting company ~~ I'm contacting you in regards to your server - we've noticed that our switching infrastructure is dropping a number of ARP packets coming from this server. From reading the logs we're getting, it looks as though it's ARP requests for other IP addresses in the same range as this server that are being dropped. I've included some of the log output below for your reference: Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.236.142/12:00:43 UTC Wed Apr 26 2017]) Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.237.192/12:00:43 UTC Wed Apr 26 2017]) Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.237.4/12:00:43 UTC Wed Apr 26 2017]) Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.238.214/12:00:43 UTC Wed Apr 26 2017]) Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.238.81/12:00:43 UTC Wed Apr 26 2017]) Apr 26 12:03:13.575 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.238.63/12:03:13 UTC Wed Apr 26 2017]) Upon closer inspection, we see the ARP requests contain the correct source MAC address and IP address, however the target MAC address in the ARP packet itself is set to be 00:00:00:00:00:00 which is invalid. Additionally, the Ethernet header on the packet itself lists both the source and destination MAC addresses as being 00:00:00:00:00:00. The likely causes of these are due to bugs/glitches in the Network Adapter Driver, bugs/glitches in software running on the server, or in some cases where Virtualisation services such as Hyper-V or VMWare that have been enabled but not fully configured. Our logs first started recording these ARP packets being seen at 20:55 last night (25th April). These don't look to be malicious in any way and from our perspective we don't see this as causing any issues to any of our infrastructure or to other customers, rather they look to be the result of something being incorrect in software and are being blocked automatically by the switching infrastructure. Could I ask you to take a look over your server to check into the source of these packets? ~~ 20:55 on 25th April was when I installed Adaware so one can't help but suspect that Adaware is the source of these packets. The hosting company doesn't seem to be alarmed but they would appreciate an explanation and, ideally, that they should stop. Can anyone help? TIA