Windows 服务器不断向离线设备发送 ARP 请求

tag-icon tag-icon network-monitoring arp windows-server-2003-r2
Windows 服务器不断向离线设备发送 ARP 请求

我们有一台 Windows 2003r2 服务器,它正在向网络上不再存在的几个设备发送间歇性 ARP 请求。这会导致通过 modbus 运行的 PLC 中断。
该服务器在我们的网络上运行 DHCP、打印服务和文件共享,我们尚未尝试将其关闭。它在专用 IBM 服务器上运行,并在 NIC 上进行分组。
最糟糕的情况是,服务器将在 1 毫秒内向同一组设备发送大约 4 个 Who Has 请求,其中 PLC 是其中之一 - 这很奇怪,因为它在网络上 - 也许它不支持 ARP?

No.     Time               Source                Destination           Protocol Length Info
1522 11:49:26.578133000 Ibm_28:2d:e6          Broadcast             ARP      60     Who has 192.168.6.245?  Tell 192.168.6.227 (duplicate use of 192.168.6.227 detected!)

Frame 1522: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Ibm_28:2d:e6 (00:14:5e:28:2d:e6), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
[Duplicate IP address detected for 192.168.6.227 (00:14:5e:28:2d:e6) - also in use by 00:14:5e:28:2d:e7 (frame 1437)]
Address Resolution Protocol (request)

No.     Time               Source                Destination           Protocol Length Info
   1523 11:49:26.578137000 Ibm_28:2d:e6          MoxaTech_2d:ec:26     ARP      60         Who has 192.168.6.193?  Tell 192.168.6.227 (duplicate use of 192.168.6.227 detected!)

Frame 1523: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Ibm_28:2d:e6 (00:14:5e:28:2d:e6), Dst: MoxaTech_2d:ec:26 (00:90:e8:2d:ec:26)
[Duplicate IP address detected for 192.168.6.227 (00:14:5e:28:2d:e6) - also in use by     00:14:5e:28:2d:e7 (frame 1437)]
Address Resolution Protocol (request)

No.     Time               Source                Destination           Protocol Length Info
   1524 11:49:26.578139000 Ibm_28:2d:e6          192.168.6.73          ARP      60         Who has 192.168.6.73?  Tell 192.168.6.227 (duplicate use of 192.168.6.227 detected!)

Frame 1524: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Ibm_28:2d:e6 (00:14:5e:28:2d:e6), Dst: 192.168.6.73      (00:15:b7:44:58:52)
[Duplicate IP address detected for 192.168.6.227 (00:14:5e:28:2d:e6) - also in use by    00:14:5e:28:2d:e7 (frame 1437)]
Address Resolution Protocol (request)

No.     Time               Source                Destination           Protocol Length Info
   1525 11:49:26.578148000 192.168.6.73          Ibm_28:2d:e6          ARP      42         192.168.6.73 is at 00:15:b7:44:58:52 (duplicate use of 192.168.6.227 detected!)

Frame 1525: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0
Ethernet II, Src: 192.168.6.73 (00:15:b7:44:58:52), Dst: Ibm_28:2d:e6     (00:14:5e:28:2d:e6)
[Duplicate IP address detected for 192.168.6.227 (00:14:5e:28:2d:e6) - also in use by  00:14:5e:28:2d:e7 (frame 1437)]
 Address Resolution Protocol (reply)

No.     Time               Source                Destination           Protocol Length Info
   1526 11:49:26.578723000 Ibm_28:2d:e6          Inventec_88:ea:a4     ARP      60     Who has 192.168.6.38?  Tell 192.168.6.227 (duplicate use of 192.168.6.227 detected!)

Frame 1526: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Ibm_28:2d:e6 (00:14:5e:28:2d:e6), Dst: Inventec_88:ea:a4 (00:26:6c:88:ea:a4)
[Duplicate IP address detected for 192.168.6.227 (00:14:5e:28:2d:e6) - also in use by  00:14:5e:28:2d:e7 (frame 1437)]
Address Resolution Protocol (request)

No.     Time               Source                Destination           Protocol Length Info
   1527 11:49:26.578725000 Ibm_28:2d:e6          Hewlett-_dc:a8:b2     ARP      60         Who has 192.168.6.200?  Tell 192.168.6.227

Frame 1527: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Ibm_28:2d:e6 (00:14:5e:28:2d:e6), Dst: Hewlett-_dc:a8:b2 (b4:99:ba:dc:a8:b2)
Address Resolution Protocol (request)

No.     Time               Source                Destination           Protocol Length Info
   1528 11:49:26.578727000 Ibm_28:2d:e6          192.168.6.56          ARP      60         Who has 192.168.6.56?  Tell 192.168.6.227 (duplicate use of 192.168.6.227 detected!)

Frame 1528: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Ibm_28:2d:e6 (00:14:5e:28:2d:e6), Dst: 192.168.6.56 (00:00:54:10:77:b5)
[Duplicate IP address detected for 192.168.6.227 (00:14:5e:28:2d:e6) - also in use by 00:14:5e:28:2d:e7 (frame 1527)]
Address Resolution Protocol (request)

No.     Time               Source                Destination           Protocol Length Info
   1529 11:49:26.578729000 Ibm_28:2d:e6          Fuji-Xer_2a:7f:c6     ARP      60         Who has 192.168.6.245?  Tell 192.168.6.227 (duplicate use of 192.168.6.227 detected!)

Frame 1529: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Ibm_28:2d:e6 (00:14:5e:28:2d:e6), Dst: Fuji-Xer_2a:7f:c6 (08:00:37:2a:7f:c6)
[Duplicate IP address detected for 192.168.6.227 (00:14:5e:28:2d:e6) - also in use by 00:14:5e:28:2d:e7 (frame 1527)]
Address Resolution Protocol (request)

其中包括监控交换机上 PLC 端口的 Wireshark 的捕获。上面的输出又重复了 5 次。这反过来会终止 modbus 输出。
它似乎会半定期地发生 - 它会像上面一样吐出大约 40 帧(4 或 5 次迭代),然后 3 秒后,它只会吐出一批(一次迭代)。
我已经:重新启动打印服务;刷新 ARP 缓存;并确保这些主机绝对不存在。
任何帮助都将不胜感激!!
编辑:附加图片:
Wireshark 捕获

答案1

如果您的 PLC 因一些零散的 ARP 数据包而发生故障,我认为您最好隔离 PLC 网络!这不是过多的流量,除非 PLC 存在 MAC 或 IP 地址冲突,否则我真的不明白 PLC 怎么会/为什么会故障。

如果我没看错的话,看起来组合的 NIC 都响应同一个 IP。我不认为这是你的问题,但我确实想指出这可能是一个转移注意力的借口。

您的机器上可能有一些服务正在尝试与这些现已断开连接的设备进行通信。如果您想找到该服务,您可能会很幸运地让某些东西响应这些 ARP 请求,然后查看服务器尝试使用哪种协议与目的地进行通信。

我想知道你是否会看到一些 Broadcom 驱动程序和 ARP 泛洪问题,但您的数据包数量听起来还不足以成为论坛中描述的问题。

相关内容