Arch Linux

bowlin

Member

Registered: 2025-02-27

Posts: 59

[Solved] ARP requests to my own machine and my phone in tcpdump

Got curious as to where I'm getting incoming traffic from even though every process was closed. ss narrowed it down to dhcpcd, three processes for it.

Then I checked tcpdump and I get this output every six seconds or so:

22:05:29.488506 ARP, Request who-has my-phone.home (Broadcast) tell _gateway, length 46
22:05:29.682353 ARP, Request who-has this-pc (Broadcast) tell _gateway, length 46
22:05:29.682363 ARP, Reply this-pc is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28

Why is it continuosly sending those requests? Is it because of tcpdump itself? I'm on ethernet, and I don't really know what I'm doing but this peaked my interest.

I get that it would send it once and then once it has discovered them it wouldn't (?) send them?

Thanks.

Last edited by bowlin (2025-04-05 11:38:23)

Brocellous

Member

Registered: 2017-11-27

Posts: 155

Re: [Solved] ARP requests to my own machine and my phone in tcpdump

Neighbor entries are periodically staled and need to be refreshed because the owner of an address can change.

dimich

Member

From: Kharkiv, Ukraine

Registered: 2009-11-03

Posts: 414

Re: [Solved] ARP requests to my own machine and my phone in tcpdump

22:05:29.488506 ARP, Request who-has my-phone.home (Broadcast) tell _gateway, length 46
22:05:29.682353 ARP, Request who-has this-pc (Broadcast) tell _gateway, length 46

These ARP requests are from your router.

22:05:29.682363 ARP, Reply this-pc is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28

This is reply from your PC.

Why is it continuosly sending those requests?

Your router needs to know what to fill in destination MAC address field of ethernet frame for IP packets.

ss narrowed it down to dhcpcd, three processes for it.

ARP requests aren't specific for DHCP. However, DHCP may trigger them as well as any other IP communication.

bowlin

Member

Registered: 2025-02-27

Posts: 59

Re: [Solved] ARP requests to my own machine and my phone in tcpdump

Aha, alright.

Why am I seeing ARP requests for my phone if my PC has nothing (?) to do with it?

--- Edit ---
In general, is it normal to see small amounts of traffic like that when you have an internet connection without having any external programs open?

Last edited by bowlin (2025-03-30 12:17:20)

Brocellous

Member

Registered: 2017-11-27

Posts: 155

Re: [Solved] ARP requests to my own machine and my phone in tcpdump

Why am I seeing ARP requests for my phone if my PC has nothing (?) to do with it?

What shows in your capture are broadcast arp probes. They are l2 broadcast frames visible to every host on the link, since the purpose is to identify the owner of the IP address. The target of the query is an IP address but tcpdump has replaced the address with a hostname without the -n option to disable address resolution.

bowlin

Member

Registered: 2025-02-27

Posts: 59

Re: [Solved] ARP requests to my own machine and my phone in tcpdump

So am I wrong in saying that if someone else also connects to the same network, then there would be more arp probes? Also it seems that the arp probing happens regardless if my phone is in a quest wifi.

dimich

Member

From: Kharkiv, Ukraine

Registered: 2009-11-03

Posts: 414

Re: [Solved] ARP requests to my own machine and my phone in tcpdump

So am I wrong in saying that if someone else also connects to the same network, then there would be more arp probes?

There would be more arp probes if any host on the network is going to send a packet to another host, and MAC address of destination is not in sender's ARP cache.

Also it seems that the arp probing happens regardless if my phone is in a quest wifi.

If I remember correctly, when ARP cache entry expires, it should be removed from the cache and forgotten. So if none of hosts on the network want to send anything, no ARP requests. They will be sent when needed.
However, router may keep ARP cache up-to-date by sending requests periodically to speed up packet forwarding. It may check DHCP clients availability. It depends on router's firmware.