A huge number of requests Who has in wireshark?

Constantly in wireshark creates a lot of ARP requests. Source ZyxelCom (it's like my router), Destination - Broadcast (it's like a broadcast). And went the queries Who has 192.168.1.1 Tell 192.168.1.1 Who has 192.168.1.2 Tell 192.168.1.1 ... and so on to Who has 192.168.1.254 and then the new. Why?
3 answers
June 10th 19 at 15:59
Check the router - someone tried to scan your internal network with it (if the router hadn't done it before). It is possible that it was hacked or figured out the password.
He always does that every day) And who might try 192.168.1.1 - it's the router itself and requests - mckayla.OK commented on June 10th 19 at 16:02
well the script is designed so that the router can be a different IP, say, .250, so skanit the entire network. Anyway, look, I don't like this behavior of the router, not his business to keep track of which IP addresses are in the LAN. - sadie_Hop commented on June 10th 19 at 16:05
Look in your router settings 192.168.1.1 / Keenetik Giga (Bridge) - most likely it's still his iP - mckayla.OK commented on June 10th 19 at 16:08
June 10th 19 at 16:01
You can offer three options:
1) the Zyxel router updates the list of busy devices (including, for example, by a DHCP);
2) Someone outside your router is trying to "reach out" to your internal addresses;
3) Someone on the inside of the router (there's a Linux with all the environment + shell) is trying to find something for your further "penetration" and "pin" on your network.

Over the last couple of days heard about some abnormal activity subscribers with routers Zyxel, however, there was not confirmation. Just in case unplug the router from the external network, look at the activity. You can reset to factory settings, upgrade the firmware to the latest and, without connecting to the network, check who has queries. But it is not for everybody.
Even the cable from the Internet was turned off, it turns out only the local network - still the ARP requests are constantly - mckayla.OK commented on June 10th 19 at 16:04
So the second paragraph could be deleted. - sadie_Hop commented on June 10th 19 at 16:07
June 10th 19 at 16:03
Rabotni router. If the packets disappear-it rushed. Usually malware the reboot is not going through, that should be enough. But the firmware update is necessary in any case, even if a reboot will help as it will help for a while :-)
All updated, latest firmware - mckayla.OK commented on June 10th 19 at 16:06
it well. But in the case of home routers is not a guarantee. So rebutall still worth a try. - sadie_Hop commented on June 10th 19 at 16:09
Yes, no, everything is clear, nothing, just a permanent arp scan, to make it clear who's connected-disconnected. Feature of zyxel and the others the same, but zyxel exactly - mckayla.OK commented on June 10th 19 at 16:12
, I'm not sure that this is a feature. No router I've ever encountered, didn't act like that. And for two years of work in the Internet provider, as you know, it was necessary to see.

So this is hardly a legitimate behavior. It's either some bug or malicious activity. Given that you've disconnected the Internet cable, and the behavior remains, it is still only these two options. There is no reason that the router was acting that way. There are certain scenarios for high ARP activity (loop in the network, for example), but there will be requests for 1-2-3 IP addresses, but not to move in a loop all IP subnet. - mckayla.OK commented on June 10th 19 at 16:15
So it only queries the local network (the Internet here is not being had). And IP addresses are only local was. Thus, you can determine who connected to the network or disconnected - Vern.Schneid commented on June 10th 19 at 16:18
found an article. I don't understand why they need it at all. I would turn it off. The air will be cleaner, the battery on mobile devices safer.... - mckayla.OK commented on June 10th 19 at 16:21

Find more questions by tags Network administrationNetwork equipmentNetwork routingComputer networks