Windows 2008/Vista/7 ARP Cache

Starting with Windows 2008 for servers and Vista for workstations, Microsoft have decided to implement RFC4861. You can read about it here.

Now, I know that you haven’t really read it! So here is a short summary:
  • The ARP cache has the following states: Reachable and Stale
  • Reachable is the old “resolved” state
  • Stale means that the entry wasn’t used for some time. Not used means that there is no positive feedback that there is a two way communication with the host in that ARP cache entry.
  • If the host wants to send traffic to an entry which is in Stale status it will send a reachability probe.
  • A reachability prob is a Unicast ARP probe. Yes, a UNICAST ARP.
  • If there is an answer or suddenly there is a return traffic, then the state goes back to Reachable

Here was my question: While in “Stale” mode, will Windows send the packet triggering the probing, or will it wait for the reachability check?

The answer: Yes. As long there is a Reachable or Stale entry in the ARP cache windows won’t delay the packet.

I won’t bother you with the lab setup details, I’ll just show the dump:

1360422920.568726 00:00:0a:04:06:01 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 tell 10.4.6.1


A windows machine at 10.4.6.1 is looking for 10.4.6.8

1360422920.602252 00:00:0a:04:06:c8 00:00:0a:04:06:01 8100 46: 802.1Q vid 6 pri 0 arp reply 10.4.6.8 is-at 00:00:0a:04:06:c8


My lab machine (scapy) is sending and answer with non existing mac


1360422920.604391 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:152) (ttl 128, id 311, len 60)
1360422922.068152 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:153) (ttl 128, id 312, len 60)


Windows is sending ICMP request but never get any answer. Notice that there is a request every second. The first field in this dump is the time since… EPOC


1360422923.568005 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:154) (ttl 128, id 313, len 60)
1360422925.068738 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:155) (ttl 128, id 314, len 60)
1360422926.568041 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:156) (ttl 128, id 315, len 60)


More of the same, I’ll jump a head


1360422947.568142 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:170) (ttl 128, id 329, len 60)
1360422948.068760
00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 (00:00:0a:04:06:c8) tell 10.4.6.1
1360422949.068217 00:00:0a:04:06:01
00:00:0a:04:06:c8 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 (00:00:0a:04:06:c8) tell 10.4.6.1


The ARP entry is now Stale and windows is sending a Unicast ARP probe, but it will never get an answer (this is a deliberate action)


1360422949.068248 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:171) (ttl 128, id 330, len 60)


But windows keep sending those packets every second


1360422950.068587 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 (00:00:0a:04:06:c8) tell 10.4.6.1
1360422950.568226 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:172) (ttl 128, id 331, len 60)
1360422952.068404 00:00:0a:04:06:01
ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 tell 10.4.6.1


Windows had enough of this and send a normal ARP request to a broadcast address which my scaly intend to answer


1360422952.101660 00:00:0a:04:06:c8 00:00:0a:04:06:01 8100 46: 802.1Q vid 6 pri 0 arp reply 10.4.6.8 is-at 00:00:0a:04:06:c8
1360422952.102077 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:173) (ttl 128, id 332, len 60)
1360422953.568186 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:174) (ttl 128, id 333, len 60)


Life goes on…



And remember, if you are using Private VLANs or plan to, make sure you visit my Private VLAN appliance site. You do not want to miss it.