Debugging ARP Request Flooding: How to Identify the Process Generating Excessive ARP Traffic on Linux Gateway


2 views

When monitoring network traffic using tcpdump -n arp, you might observe your gateway (211.123.123.242 in this case) generating numerous ARP requests for seemingly non-existent IP addresses in its subnet. This behavior typically indicates one of three scenarios:

# Typical ARP request pattern in the problem case
16:51:03.662114 ARP, Request who-has 211.123.123.251 tell 211.123.123.242, length 28
16:51:03.954113 ARP, Request who-has 211.123.123.246 tell 211.123.123.242, length 28

To pinpoint the process responsible:

# Method 1: Using strace to monitor socket operations
sudo strace -f -e trace=network -p $(pgrep -f process_name)

# Method 2: Network namespace inspection (for containerized environments)
sudo nsenter -t $(pidof process_name) -n tcpdump -n arp

# Method 3: System-wide socket monitoring
sudo ss -tulnp | grep 211.123.123

Based on network patterns, these are likely causes:

# 1. Misconfigured monitoring tools (Example: Nagios check)
/usr/lib/nagios/plugins/check_ping -H 211.123.123.246 -w 100,10% -c 200,20%

# 2. Outdated ARP cache (Force refresh with)
ip -s -s neigh flush all

# 3. Background services scanning network (Example: nmap remains)
ps aux | grep -E 'nmap|masscan|zmap'

For deeper analysis:

# Check kernel ARP tables and statistics
cat /proc/net/arp
grep -i arp /proc/net/netstat

# Monitor ARP-related kernel events
sudo perf probe --add 'arp_send size=28'
sudo perf stat -e 'probe:arp_send' -a sleep 10

Here's a step-by-step approach I use in production:

#!/bin/bash
# Step 1: Capture ARP traffic with process context
sudo tcpdump -i eth0 -nn -p arp -w arp_capture.pcap &
TCPDUMP_PID=$!

# Step 2: Monitor system calls in parallel
sudo strace -f -e trace=network -p 1-100000 2>&1 | grep -i 'socket\|connect' &
STRACE_PID=$!

# Step 3: Correlate timestamps
sleep 30
kill $TCPDUMP_PID $STRACE_PID

For modern kernels (4.4+), use BPF for low-overhead inspection:

# Trace ARP transmission with process info
sudo bpftrace -e 'kretprobe:arp_send {
    printf("ARP sent by PID %d (%s): %s\n", pid, comm, str(arg1));
}'

After identifying potential processes:

# Confirm with process network connections
sudo lsof -i -n -P | grep 211.123.123
sudo cat /proc/[PID]/net/tcp

When monitoring network traffic using tcpdump -n arp, you might observe frequent ARP requests originating from your gateway itself. This typically indicates one of two scenarios:

# Example of problematic ARP output
16:51:03.662114 ARP, Request who-has 211.123.123.251 tell 211.123.123.242
16:51:03.954113 ARP, Request who-has 211.123.123.246 tell 211.123.123.242

To identify the root cause, we'll need several diagnostic approaches:

# 1. Check active connections attempting to reach unavailable IPs
sudo ss -tunp | grep 211.123.123.24

# 2. Monitor system processes generating network traffic
sudo strace -f -e trace=network -p $(pgrep -f potential_process_name)

# 3. Advanced ARP monitoring with arpwatch
sudo arpwatch -i eth0 -d

Based on the gateway configuration shown:

2: eth0:  mtu 1500 qdisc pfifo_fast state UNKNOWN
    inet 211.123.123.242/28 brd 211.123.123.255

Potential issues include:

# Misconfigured services trying to connect to unavailable IPs
sudo netstat -tulnp | grep -E '211\.123\.123\.24[0-9]'

# Kernel ARP behavior tuning (if needed)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

Here's a Python script to log ARP anomalies:

#!/usr/bin/env python3
from scapy.all import sniff, ARP
import time

def arp_monitor(pkt):
    if ARP in pkt and pkt[ARP].op == 1:  # who-has
        if pkt[ARP].psrc == "211.123.123.242":
            print(f"[{time.ctime()}] Suspicious ARP: {pkt[ARP].pdst}")

sniff(prn=arp_monitor, filter="arp", store=0)

For gateways in similar /28 networks:

# Recommended iptables rule to log suspicious traffic
iptables -A OUTPUT -d 211.123.123.240/28 -j LOG --log-prefix "SUSPECT_OUT: "

Remember to check for:

  • DNS misconfigurations pointing to unavailable IPs
  • Cron jobs attempting network connections
  • Monitoring systems scanning the network

For deep inspection of kernel-level ARP generation:

# SystemTap script to trace ARP requests
probe kernel.function("arp_send") {
    printf("ARP sent by PID %d (%s) to %s\n", 
           pid(), execname(), 
           ip_ntop(@cast($skb->head + $skb->network_header, "iphdr")->daddr));
}