• 0
Sign in to follow this  
Ricardo Caririo

ARP Requests

Question

Shortly after installing Adaware on a Windows Server 2008 R2 machine we received the following from the hosting company

~~

I'm contacting you in regards to your server - we've noticed that our switching infrastructure is dropping a number of ARP packets coming from this server. From reading the logs we're getting, it looks as though it's ARP requests for other IP addresses in the same range as this server that are being dropped. I've included some of the log output below for your reference:

 

Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.236.142/12:00:43 UTC Wed Apr 26 2017])
Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.237.192/12:00:43 UTC Wed Apr 26 2017])
Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.237.4/12:00:43 UTC Wed Apr 26 2017])
Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.238.214/12:00:43 UTC Wed Apr 26 2017])
Apr 26 12:00:43.880 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.238.81/12:00:43 UTC Wed Apr 26 2017])
Apr 26 12:03:13.575 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi0/24, vlan 226.([0019.99d4.f230/88.208.237.121/0000.0000.0000/88.208.238.63/12:03:13 UTC Wed Apr 26 2017])

 

Upon closer inspection, we see the ARP requests contain the correct source MAC address and IP address, however the target MAC address in the ARP packet itself is set to be 00:00:00:00:00:00 which is invalid. Additionally, the Ethernet header on the packet itself lists both the source and destination MAC addresses as being 00:00:00:00:00:00.

 

The likely causes of these are due to bugs/glitches in the Network Adapter Driver, bugs/glitches in software running on the server, or in some cases where Virtualisation services such as Hyper-V or VMWare that have been enabled but not fully configured. Our logs first started recording these ARP packets being seen at 20:55 last night (25th April).

 

These don't look to be malicious in any way and from our perspective we don't see this as causing any issues to any of our infrastructure or to other customers, rather they look to be the result of something being incorrect in software and are being blocked automatically by the switching infrastructure.

 

Could I ask you to take a look over your server to check into the source of these packets?

~~

 

20:55 on 25th April was when I installed Adaware so one can't help but suspect that Adaware is the source of these packets.

The hosting company doesn't seem to be alarmed but they would appreciate an explanation and, ideally, that they should stop.

Can anyone help?

TIA

Share this post


Link to post
Share on other sites

1 answer to this question

Recommended Posts

  • 0

Hi Ricardo,

According to the specification of adaware antivirus on https://www.adaware.com/antivirus it's only designed for Windows 10, 8.x and 7, not any server version. If adaware software (Lavasoft) has sold adaware antivirus to your company knowing that you planned to install it on a server version, I suggest that you contact the support team: http://www.lavasoft.com/mylavasoft/support/supportcenter/technicalproblems/adaware_critical_problem_report

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this